# Poor governance is top factor in insurer failures – Eiopa

By Louie Woodall | Data | 17 July 2018

Breakdowns in internal governance were the most cited reason for failures of large European insurers in a study released today (July 17) by the European Union’s industry watchdog.

The European Insurance and Occupational Pensions Authority (Eiopa) said that at troubled large insurers, internal governance and control risks were the primary cause of failures or near-failures in 14% of cases. Next came managerial and staff competence risks, and the underestimating of reserves needed to meet policyholder obligations, at 13% each. Large insurers are those with balance sheets of more than €100 million ($116 million). The Eiopa report defined internal governance and control risks as “inadequate or failed systems of corporate governance and overall control”. For small insurers, those with balance sheets of less than €100 million, underestimating reserves was given as the primary cause of failures in 16% of cases, followed by managerial and staff incompetence at 15%, and internal governance and control risk, at 13%. The report drew on 180 failures and near failures of insurers from 1999 to 2016, across 31 countries. ### What is it? Eiopa’s report, Failures and near misses in insurance, is the first of several papers intended to educate supervisors on avoiding and managing insurance failures. The study tapped the group’s database of insurance failures, compiled through submissions made by national supervisors. Of the 180 cases reported to Eiopa, 95 related to non-life insurers, 51 to life insurers, 32 to composite insurers and two to reinsurers. Around 80% of cases involved small insurers. Incidences of failure or near miss peaked in 2008, in the teeth of the financial crisis. Eiopa defines a near miss as “a case where an insurer faces specific financial difficulties”, such as when an insurer breaches its solvency requirements and its national supervisor places it in special measures. The risk categories used to determine the causes of insurer failures were taken from a 2002 report on the prudential supervision of insurers prepared by Paul Sharma, then head of the prudential risk department of the UK’s Financial Services Authority. ### Why it matters Eiopa’s fact-finding mission has a practical purpose: to trace historic failures to their root causes and use these to identify early warning signs to avert future catastrophes. In this report, Eiopa concluded low capital ratios are a leading indicator that a firm may run into trouble, along with evidence of bad management. These findings will cheer supporters of Solvency II, the EU’s prudential regulatory framework for insurers, as it has raised minimum capital requirements for firms and supports supervisory intervention when certain capital thresholds are breached. The framework also includes a number of qualitative requirements, such as the “own risk and solvency assessment”, intended to improve governance and hold management to account. ### Get in touch Do you think Solvency II will prevent the sort of insurer failures seen in the past? Perhaps you think the framework will allow new risks to replace those squashed by the framework. Let us know by emailing louie.woodall@infopro-digital.com or tweeting @LouieWoodall or @RiskQuantum ### Tell me more EU insurance solvency ratios strengthen in 2017 – Eiopa View all regulator stories # Wells Fargo sheds low risk assets By Louie Woodall | Data | 13 July 2018 Wells Fargo cut assets with low risk-weights in the second quarter as it grappled with a regulator-imposed limit on balance sheet growth. The San Francisco-based lender shed$35.7 billion (1.9%) worth of assets over the three months to June 30, reducing its balance sheet to $1.88 trillion. However, the regulatory balance sheet, which values assets according to the likelihood they could sour and blow a hole in the bank’s capital buffers, edged up slightly. Risk-weighted assets (RWAs) grew an estimated$1.6 billion (0.1%) over the period.

This suggests the discarded assets this quarter had low risk-weights, and that these reductions were offset by an increase in the risk-weightings of retained assets.

In the three months to March, the bank shed $36.4 billion (1.9%) of assets valued on an accounting basis equating to$7.5 billion (0.6%) of RWAs. Its balance sheet was $1.92 trillion in size at the end of the first quarter. The Federal Reserve slapped a cease-and-desist order on Wells Fargo on February 2 in response to the lender’s “ghost account” scandal – in which bank employees opened hundreds of thousands of deposit and credit card accounts without customers’ consent. The order prevents Wells Fargo from increasing total consolidated assets beyond its end-2017 amount of$1.952 trillion.

### Who said what

“The GAAP [accounting basis] assets that came down have very low risk weights because we are running down high run-off factor deposits where the asset side is sitting in cash” – John Shrewsberry, chief financial officer at Wells Fargo.

### What is it?

Cash parked at banks by other financial institutions are usually the least sticky type of bank funding – or have “high run-off factors”, as Wells Fargo’s Shrewsberry put it –  as these deposits are more likely to be withdrawn at shorter notice than retail or business customers.

This being the case, such deposits would typically be used to fund highly liquid assets that could be monetised at short notice to cover rapid withdrawals. Highly liquid assets tend to be those that garner low risk-weights under regulatory capital rules, such as excess reserves placed at the Federal Reserve and US Treasuries. This dynamic explains why Wells Fargo’s RWAs could stay largely flat quarter-to-quarter even though its assets on an accounting basis shrank by tens of billions of dollars.

### Why it matters

Wells Fargo appears to be continuing with its strategy for managing the Fed’s asset cap it followed in the first quarter – running down flighty commercial deposits on the liability side of the balance sheet and the highly liquid, low risk-weight assets they funded on the asset side.

The bank reported a drain of $9.7 billion in financial institution deposits in the second quarter, of which$3.9 billion were the direct result of actions taken by Wells to manage the asset cap, following a $32.3 billion reduction in the first, of which$15 billion were in response to the cap. The slowing pace of deposit reduction among this customer segment may suggest that Wells is reaching a balance sheet size it is comfortable operating at while under the Fed-imposed limit.

### Get in touch

Will Wells Fargo’s current balance sheet size allow it to both manage the asset cap while growing its loan book? Send your thoughts to louie.woodall@infopro-digital.com or by tweeting @LouieWoodall or @RiskQuantum.

### Tell me more

View all bank stories

# Op risk data: SocGen suffers twin blow with Libor, Libya losses

By Risk staff | Opinion | 4 July 2018

French bank takes top two slots in monthly loss data roundup. Plus review of H1 losses

Societe Generale experienced the largest operational risk loss in June, bringing the total paid by firms in 2018 for Libor manipulation to $1.25 billion. SocGen reached settlements totalling$750 million with the US Department of Justice and the US Commodity Futures Trading Commission after admitting that senior executives had ordered its US dollar Libor submissions to be falsely deflated between May 2010 and October 2011 so that it could borrow money at a more favourable interest rate.

In addition, SocGen employees in Tokyo and London were found to have colluded in 2006 to manipulate the firm’s yen Libor submissions to benefit the trading positions of a co-worker. SocGen will pay $275 million to the DoJ and$475 million to the CFTC in regulatory penalties and disgorgement.

SocGen also incurred last month’s second biggest loss, in settlements totalling $583.8 million with the DoJ and France’s financial prosecutor’s office, PNF, over an alleged bribery scheme in Libya. Between 2004 and 2009, the firm paid bribes to high-level Libyan officials through a local broker to secure a total of$3.66 billion in investments made by Libyan state institutions. SocGen earned around $523 million in profits through the scheme, paying the broker more than$90 million in commissions, which was used for inducements to the Libyan officials.

PNF levied a fine of €250.2 million ($291.6 million). The DoJ imposed a separate$585 million penalty, but half of this amount was credited towards the PNF’s fine.

The third largest loss also concerns the Libyan bribery scheme, as US asset manager Legg Mason reached a $64.2 million agreement with the DoJ over its role. Between 2004 and 2012, around half of the Libyan investments that SocGen obtained through bribes was channelled through Legg Mason subsidiary, Permal Group. Although the DoJ acknowledged that Legg Mason did not itself have any direct contact with Libyan officials, or the broker, Permal earned around$31.6 million from the investments.

The fourth largest loss last month was another settlement with the US DoJ. Credit Suisse agreed to pay a $47 million penalty to end the DoJ’s five-year probe into its improper hiring practices in the Asia-Pacific region. Credit Suisse allegedly hired the sons and daughters of politically influential Chinese families between 2007 and 2013 in order to obtain business, in potential violation of the US Foreign Corrupt Practices Act. Finally, cryptocurrency exchange Coinrail suffered a cyber attack during which hackers stole an estimated 40 billion won ($37.2 million) of mixed cryptocurrencies from its holdings. The assets use the Ethereum blockchain for their transactions, and the amount stolen represented 30% of Coinrail’s token reserves. Two-thirds of the stolen tokens were frozen before they could be sold, and Coinrail moved the remaining reserves to a cold wallet, held offline, following the attack.

In June, two individuals pleaded guilty to defrauding Langley Federal Credit Union of at least 130,700 using information stolen from the US Office of Personnel Management in a data breach announced in June 2015. The OPM suffered two related data breaches involving the records of 22.1 million individuals, including people who underwent background checks for security clearances. The stolen information included full names, birth dates, home addresses and social security numbers. US prosecutors determined that the information of at least six victims of the data breach was used to fraudulently apply for personal and vehicle loans from LFCU over a period of six months. LFCU subsequently issued the loans without determining that the information had been stolen and transferred the personal loans to LFCU accounts opened through the fraudulent applications. This is the first case of fraud using information acquired from the OPM data breach that the US Department of Justice has publicly disclosed. ### Mid-year review: conduct and cyber to the fore Conduct failings accounted for the vast majority of operational risk losses at financial institutions in the first half of 2018. In this year’s stress test exercise, the European Banking Authority defines conduct events as those that align with the Basel categories of ‘Internal fraud’ or ‘Clients, products and business practices’. More than half of the events recorded by ORX News between January and June fall into those two categories. In April, US regulators fined Wells Fargo1 billion for breaching the Consumer Financial Protection Act in its administration of auto insurance and interest rate lock periods on mortgages.

Australian authorities have embarked on a series of conduct risk actions. For example, an ongoing Royal Commission is investigating misconduct in the financial services industry. And on May 1, the Australian Prudential Regulation Authority ordered Commonwealth Bank of Australia to hold an additional $750 million in capital after the regulator found complacency with regard to non-financial risks, including failings in advice and money laundering compliance. Although the order to hold additional capital did not represent a loss, the scope of the regulator’s attention made this of significant interest to risk professionals. Apra identified a range of oversight failings up to board level, rather than focusing on issues relating to a single product line or process. CBA was also fined approximately$550 million in June for money laundering failures.

Conduct risk does not always relate to retail customers. As shown above, US and European regulators fined Societe Generale $860 million for paying bribes to officials in Libya between 2004 and 2009. RBS’s$4.9 billion settlement with the US Department of Justice over mis-selling mortgage-backed securities resolved a major outstanding litigation issue for the UK bank. But the rigging of benchmark rates continues to have an impact in settlements, in some cases 10 years after the original malpractice. For example, Citibank’s $100 million settlement with 42 US states over Libor manipulation harks back to events in 2008. The insurance sector accounted for three of the 50 largest events. The embezzlement of 75 billion yuan ($11.3 billion) by the former chairman of Chinese insurer Anbang was the single highest operational risk event in the first half of 2018.

Cyber risk also continues to be close to the top of many risk managers’ list of priorities. Overall, ORX News recorded 49 cyber-related events in the first half of 2018. The European Union’s General Data Protection Regulation, effective from May 25, imposes more reporting requirements on financial firms, and could expose new areas of vulnerability for would-be cyber attackers in the second half of the year.

Weaknesses in interbank payment systems continue to cause losses to firms with less sophisticated security systems. Payment instructions sent via the Swift messaging network enabled the large-scale external fraud that was reported by Punjab National Bank in February. The firm later estimated its total liabilities from the fraud at $2.2 billion. Swift was also the conduit for the theft of$10 million from Banco De Chile in May. In this case, hackers used malware to cause widespread disruption to the bank’s branch network and online services to distract from the theft.

Other cyber attacks carried out on banks include ransom demands in Canada on BMO and CIBC, following the Simplii data hack; and the creation of falsified bank email addresses in Italy, leading to customers’ accounts being accessed.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

# Risk Technology Awards 2018: The Analytics Boutique

## Op risk modelling vendor of the year Op risk scenarios product of the year

The Analytics Boutique (TAB) offers a comprehensive suite of operational risk models, as well as a scenario analysis platform and model validation tools.

OpCapital Analytics provides institutions with all the operational risk modelling functionality they need to gain a deep understanding of their exposures and potential losses. The software supports the modelling and integration of four key data elements – internal loss data, external loss data, scenario analysis, and business and environmental internal control factors – to create an estimate of economic and regulatory capital requirements and to forecast loss under stress scenarios.

In December 2017, TAB introduced Structured Scenario Analysis (SSA), a web platform that manages risk scenario analysis for capital modelling and risk mitigation. SSA provides flexible questionnaires for scenario planning where potential risk scenarios can be identified, voted on and ranked by a panel of experts. Institutions can customise the questionnaires to specific scenarios, with a variety of question types, such as open or closed, as well as various formats for loss estimates. Support data, case studies or other information to help experts with loss estimates can be included. Seed questions, where the answer is known only to the scenario administration team, can be embedded into questionnaires to gauge experts’ skills in evaluating uncertain risk and thus weight their answers accordingly. SSA also includes a number of techniques to mitigate cognitive biases in the experts’ risk evaluations such as group thinking and deferring to authority.

SSA manages the workflow of the scenario evaluation process, scheduling workshops and individual questionnaires. The scenario administrator can enter SSA, view any expert questionnaire at any time and take further action, such as requesting more detail or calling additional meetings.

A causal factor model calculates a transparent cross-scenario correlation matrix from the experts’ answers. User-friendly web-based analytics enable experts to calculate loss distribution and capital estimates given loss estimates. The experts can visualise the impact on risks of introducing mitigation plans, controls or insurance, and calculate the net present value (NPV) of such actions for justifying the required investment.

To reduce correlation matrix size and Monte Carlo simulation demands for large institutions with multiple business units, SSA supports a stepped aggregation process, where scenarios can be first aggregated by risk type to get the total risk of a business unit or legal entity, then by group of entities to obtain their total risk and, finally, by all groups of entities to obtain a single loss distribution for the institution. The number of aggregation steps is flexible and almost unlimited. Five major institutions are already using SSA, with three more testing it.

OpCapital Analytics and SSA include modules for exhaustive model validation with functions such as one-click model replication, audit trail, modelling journal and parameter sensitivity analysis. Regulatory approval reports including all information required by an external analyst to replicate the model can be generated by a single click.

To ensure users are in full control of the modelling process, and to avoid its software being perceived as a ‘black box’, TAB publishes its modelling methods extensively. With the same philosophy in mind, the company – unusually – also opens its source code to its users.

Rafael Cavestany Sanz‑Briz, founder and chief executive officer of TAB says: “SSA is a web-based platform that collects and manages risk scenario analysis for capital modelling and risk mitigation, maximising results quality and process efficiency. It provides full workflow, with on‑the‑fly user‑friendly modelling and Monte Carlo simulation permitting the monetisation of risk estimates, rather than traditional traffic-light maps. With monetised risk estimates, SSA calculates the NPV of the introduction of mitigation plans and insurance policies directly linking risk measurement with risk management. SSA permits the calculation of rigorous and stable capital requirements, reflecting calculated cross-scenario robust correlations. Finally, SSA is designed to mitigate cognitive biases implicit in judgement-based risk evaluations.”

TAB has extensive operational risk modelling functionality, many users and a good reputation”

TAB offers detailed, comprehensive and advanced functionality”

TAB has a clear product proposition with many users and good references from the market”

# Bank boards: goodbye to the prawn sandwich brigade?

By Tom Osborn | Opinion | 2 July 2018

Focus on personal liability makes risk committees a more effective challenge, say banks

Football fans may be familiar with the phrase ‘prawn sandwich brigade’. It was coined after then-Manchester United captain Roy Keane ranted about a perceived lack of support from his team’s home crowd during a game against Ukraine’s Dynamo Kiev in 2000.

“Some [fans] come here and you have to wonder, do they understand the game of football?” Keane said. “They have a few drinks and probably the prawn sandwiches, and they don’t realise what’s going on out on the pitch. I don’t think some of the people who come to Old Trafford can spell football, never mind understand it.”

Apparently, similar failings afflicted board-level risk committees within the banking industry, until recently.

In the words of Stephen Creese, Citi’s head of op risk for Europe, the Middle East and Africa, boards have “gone from turning up once a quarter for a prawn sandwich to being down in the weeds of what you do”.

Creese, who was speaking at OpRisk Europe in June, suggested regulations that target directors personally, rather than the institution they serve, have brought about this change in mindset. He cited the UK’s Senior Managers & Certification regime, under which the head of a bank’s risk committee is now a designated, regulator-set function, as a prime example. All non-executive directors who sit on bank boards are also subjected to greater scrutiny; they can expect an interview with the bank’s regulator that will probe their understanding of a firm’s business model, the markets it operates in, and the attendant risks it faces before they can take their seat.

###### Boards have gone from turning up once a quarter for a prawn sandwich to being down in the weeds of what you do

Stephen Creese, Citi

“It’s very noticeable now that a lot of boards, depending on their regulatory regime, are very sensitive to the liability they face. The level of detail and challenge we now get, I’ve never experienced in the last 20 years, even in the aftermath of the crisis. They don’t just want comprehensive data, but a crystallised view on where you are on your risk appetite spectrum – to the point that, often if I get thrown a question on reporting or control issues and corrective actions to those issues, you’ve got to provide reassurance that we’re OK to open the doors in the morning,” he said.

In the US, meanwhile, the Federal Reserve also now insists at least one member of a bank’s risk committee must have bona fide risk management experience at a large financial institution.

These rules have not produced much change in the composition of board-level risk committees. Over the past month, Risk.net ran the rule over committees at 15 large global banks – repeating an exercise we first conducted in 2012. Only four of the banks boasted a former chief risk officer on their risk committees – the same number as six years ago.

But conversations with risk managers suggest the headline numbers belie a dramatic shift in attitudes among committee members to the job they’re asked to do – as Citi’s Creese claimed. Several current and former CROs Risk.net spoke to in the course of its research claim the level of effective challenge they receive from their board is unrecognisable from the level exercised two decades ago, during the pre-crisis boom years.

That is a good thing, of course, but the right attitude will only take you so far. Some still argue banks are not stocking their risk committees with enough former practitioners. To adapt Roy Keane’s litmus test, risk committee members may be supporting the team more passionately, but do they genuinely understand what’s happening on the pitch?

# UK banks ramp up market risk

By Alessandro Aimone | Data | 28 June 2018

Market risk rose across UK banks in the first quarter, while operational, credit and counterparty risk declined, figures from the Bank of England (BoE) show.

Market risk-weighted assets (RWAs) grew by £23 billion, or 6.2%, year-on-year, to £397 billion, with the increase over the last quarter alone amounting to £18 billion, or 4.9%.

In contrast, credit and counterparty RWAs were 3.9% lower at £2.08 trillion, down from £2.2 trillion a year ago. Operational RWAs were also lower year-on-year, with total values going from £318 billion to £295 billion, a 7.2% drop. Credit valuation adjustment RWAs fell a whopping 35.7%, or £53 billion, to £95 billion.

Total RWAs amounted to £2.9 trillion in March, down £8 billion, or 0.3%, from December 2017, and down £159 billion, or 5.2%, from a year ago.

Despite the increase in market RWAs, the UK banking system remains well capitalised, with the BoE reporting capital ratios for the sector above minimum requirements imposed by the capital requirements regulation of 2013, although they are lower both quarter-on-quarter and year-on-year.

The total capital ratio for the UK banking sector decreased 30 basis points to 20.2% at the end of March, compared with the previous quarter. The decrease was driven by a reduction in the capital held by UK banks, which dropped by £10 billion, or 1.7%, to £584 billion in the first quarter of the year.

The capital reduction was even more significant when compared with a year ago, when total capital amounted to £615 billion, 5% higher than in the first quarter of 2018.

### What is it?

The Bank of England publishes quarterly statistical releases on the capital levels and RWAs for the UK banking sector.

Risk-weighted assets are used to determine the minimum amount of regulatory capital that must be held by banks. Each banking asset is assessed on its risks: the riskier the asset, the higher the RWA and the greater the amount of regulatory capital that must be put aside.

### Why it matters

The composition of RWAs at UK banks is changing over time, with market risk on the rise and at an all-time high since the BoE started making data publicly available, while credit and counterparty risks are at their lowest level since 2014, in line with a downtrend that began two years ago.

What does this tell us about the UK banking sector? The increase in market RWAs indicates dealers are operating in a more volatile environment, which incentivises trading and risk-taking. Things are shaking up a bit, following years of record-low interest rates and stagnant economic growth. The decline in credit and counterparty RWAs, on the other hand, may signal improved credit quality among banks’ universe of borrowers. Determining why operational RWA values have dived, meanwhile, is trickier; it could reflect changed model inputs, regulatory forbearance, or a decline in the relative frequency of some big historical losses, or indeed all of these and more.

### Get in touch

What’s your take on these latest figures on the UK banking sector? Let us know by dropping us a line at alessandro.aimone@infopro-digital.com, or sending a tweet to @aimoneale or @RiskQuantum.

### Tell me more

UK banks’ CVA capital charges drop 24% in 2017

View all regulator stories

# Quants tout exposure-based approach to op risk modelling

By Luke Clancy | News | 28 June 2018

Ebor especially suited to modelling loss events such as legal claims, say proponents

Operational risk modelling has long been viewed as something of an alchemic process, reliant to a greater or lesser degree on making sense of patterns in historical losses to predict future capital requirements. Now, a group of op risk experts is proposing an alternative quantification technique based instead on current exposures and event frequencies – an approach the experts say has longevity for banks, even after the current internal models regime is scrapped.

The approach, dubbed the exposure-based operational risk (Ebor) model, aims to produce better outcomes than those achieved by historical severity curves favoured by the current own-models approach for certain subcategories of op risk, such as such as litigation risks or rogue trading risks.

The experts contend in their paper that Ebor offers several advantages over the loss distribution approach (LDA) – under which historical loss distributions are assumed to be the best predictor of future loss patterns, and which has come to dominate op risk modelling approaches, despite a number of known limitations.

The use of LDA for certain risk types has been observed to undercapitalise known loss events before they occur, and overcapitalise for risk after the losses materialise, creating inappropriate capital estimates, says Michael Einemann, one of the paper’s authors. Conversely, where a bank often has in-depth knowledge about the underlying risk, such as the likelihood and amount of a payment, it makes sense to use that information to more accurately predict exposure, he says.

“Predictive factors for the operational risks are not captured in LDA, but could be assigned using a combination of statistical modelling and expert judgement, allowing for factor-based quantification of capital requirements,” says Einemann.

For other risk types that have more predictable characteristics – which they are expected to maintain for at least the next 12 months – it is problematic to rely almost exclusively on the historical loss experience, argues the paper, Operational risk measurement beyond the loss distribution approach: an exposure-based methodology.

Most obviously, litigation events related to the sale of mortgage-backed securities emerged after the financial crisis as a huge source of operational risk. A report by the Boston Consulting Group shows that the 50 largest US and European banks paid cumulative financial penalties of about $320 billion from 2007 through to the end of 2016, largely as a result of crisis-era misdeeds. ###### The application of Ebor to a portfolio of pending litigations is particularly well suited, due to better usage of existing information Michael Einemann, paper co-author Since its inception under Basel II, the current advanced measurement approach (AMA) to modelling op risk losses has routinely attracted criticism from banks. Former Standard Chartered chief executive Peter Sands has argued banks should cease trying to model large, hard-to-predict, infrequently occurring losses such as outsize regulatory fines, and find a different way of accounting for them. The authors argue the Ebor framework could be used to develop a model for pending litigations, where the event triggering the filing of the litigation has already happened and only the final outcome of the court case has to be modelled. Conceptually, this model could be extended to include potential future litigations, such as those based on credit properties of an underlying issuance portfolio. The paper asserts that the Ebor model can even be used for situations with potentially very large – but not infinite – exposures. In another example of its potential utility, for rogue trading, the model could take into account a specific group of traders, with a homogeneous probability of going rogue as frequency exposure. It could then model, for each rogue trading event, the severity based on the size of a hidden position as severity exposure, and time to detection or market movement as severity risk factors. The approach has a shelf life beyond the death of the AMA, argue the authors, pointing out that the AMA’s replacement – the standardised measurement approach – has been shown to suffer from a number of deficiencies that make it unsuitable for a risk-sensitive quantification of operational risks – reinforcing the need for alternative modelling techniques, which banks have said will still be needed for Pillar 2 capital calculations and internal risk management purposes. Other potential applications of the Ebor model, the authors suggest, include satisfying the European Union-wide stress tests undertaken by the European Banking Authority, and the US Federal Reserve’s Comprehensive Capital Analysis and Review programme. One of the key benefits of the Ebor model, they argue, is its ability to determine risk contributions for individual loss events. The increased model granularity combined with forward-looking expert assessment leads to a more realistic dynamic of capital estimates. Individual events can be modelled in a more granular and comprehensive way than in LDA models, facilitating a better reflection of loss-generating mechanisms as well as risk mitigants. In the hypothetical example of potential losses from litigation, the model behaviour is illustrated for five different phases of the litigation life cycle: initial filing; first internal risk assessment; refinement when more information becomes available; the establishment of a provision to final payment; and closure of the matter. These characteristics would be treated differently under the LDA, where historical cases determine the frequency and severity variables specified for litigation risk. In addition, the litigation would have been ignored until the fourth phase – provisioning for payment – under a traditional LDA, leading to undercapitalisation at the beginning of the litigation life cycle and overcapitalisation after the loss materialises. Einemann says: “The application of Ebor to a portfolio of pending litigations is particularly well suited for an exposure-based approach, due to better usage of existing information and more plausible model behaviour over the litigation lifecycle.” He adds that Ebor can facilitate communication among quants, risk managers and business experts, to ensure that discussions aim to identify and manage underlying risk drivers, instead of solely debating historical losses. “In our experience, non-quant experts are more willing to share expertise and data from their day-to-day business as input into Ebor models than to accept statistical relationships under the LDA if they have difficulties in understanding the link to the actual risk exposure,” he says. The authors also propose the integration of Ebor and LDA models into hybrid frameworks, facilitating the migration of operational risk subtypes from a classical to an exposure-based treatment. The paper acknowledges that, in general, the development, calibration and validation of Ebor models represent a challenging task, since new types of data and a higher degree of expert involvement across an institution would be required to support them. But in return, they argue, Ebor models promise a transparent quantitative framework for combining forward-looking assessments of subject matter experts, historical loss experience and point-in-time data, such as current portfolios, instead of relying mainly on historical loss data. # Bank risk committees: desperately seeking risk managers By Steve Marlin | Features | 27 June 2018 Most boards still lack career risk specialists despite tighter governance requirements Click here for table showing bank risk committee composition Regulators have spent the last several years toughening their rules on the quality of banks’ risk oversight. They had good reason to act: in the years that followed the crisis, it was acknowledged risk committees were often too stretched to wield proper oversight of banks’ risk appetites, and in many cases too lacking in expertise to understand them – even where they met regularly enough to form a proper view. But despite some marquee appointments, how much has actually changed? Today, those committees include many executives with financial backgrounds, even a few with gilt-edged careers, such as former UK chancellor Alistair Darling, who sits on the board of Morgan Stanley. But about half of the risk committee members of top banks come from outside the sector: utilities, publishing, technology and commercial property, to name a few (click here to see table B, at the end of this article). Among them are: Franz Humer, former chairman of the Roche pharmaceutical company; Suzanne Vautrinot, a retired major general in the US Air Force; François Thibault, an agricultural engineer known for developing the recipe for Grey Goose vodka; and Ernesto Zedillo, a former president of Mexico. Critics say panels are light on execs with frontline risk management experience. Of the 82 people sitting on the risk committees of 15 large global banks studied by Risk.net, only four are former chief risk officers. That number is unchanged from 2012, when Risk.net last counted. Roughly two-thirds of the 82 total have a background in finance – 41 are former bankers, while 15 previously worked in asset management and insurance. About half of those on the committees had risen to the C-suite – 29 to chief executive. So, does the lack of hands-on risk expertise matter? Some were surprised by the dearth of it on the committees. “There should be at least one independent CRO on that board. Somebody who understands the risks of the industry,” says Craig Spielmann, CEO of consultancy RiskTao, and the former global head of operational risk systems and analytics at the Royal Bank of Scotland. Another former bank risk manager comments: “It looks a bit patchy, to say the least.” Some take a more optimistic view, however, arguing the level of risk management expertise on committees has improved dramatically since the dog days of the crisis. “They are getting more risk experts,” says Mark Watson, deputy leader for Americas financial services board matters at EY, of the committees. “They may not have been cast as risk experts, but have been in prominent roles in the financial services industry overseeing risk, maybe from the first line, or maybe from another industry. A lot of them are former operating executives.” Yet others note the job is now getting harder. Risk now extends well beyond loan and trading books to cyber attacks, political convulsions, reputational hazards and other events for which experts from other fields would be useful. “The job of the risk function has changed so much even in the time that I took the role,” says Daniel Moore, CRO at Scotiabank since April last year, and previously markets CRO for two years. “Whereas once our main focus was on corporate commercial credit, our risk portfolio has expanded to include dimensions of data, anti-money-laundering, conduct, operational risk, cyber security and more.” Constructive dissent, whether from a mix of skills or personalities, is the goal. Moore says Scotiabank’s risk committee has shown an increased willingness to probe and challenge management on topics, such as free trade, Brexit, cyber and money laundering. “We enjoy a lot more challenge, a lot more advisory function than we did in the past,” he says. ### Who qualifies? The regulatory requirements set out in the Federal Reserve’s Enhanced Prudential Standards for banks with over$50 billion in consolidated assets – which were being drafted in 2012 when Risk.net conducted its first survey and were finalised in 2014 – are broadly drawn.

Banks are required to appoint “at least one risk management expert having experience in identifying, assessing and managing risk exposures of large, complex financial firms” to their risk committees. The rule also states that all risk committee members should generally “have an understanding of risk management principles and practices relevant to the company”.

Regulators in other jurisdictions have similar requirements, but the language is somewhat softer than the Fed rule. The European Banking Authority, under guidelines issued in 2017 implementing the European Union’s Capital Requirements Directive IV, requires that “members of the risk committee should have, individually and collectively, appropriate knowledge, skills and expertise concerning risk management and control practices”.

Similarly, the UK’s Financial Conduct Authority requires that “members of the risk committee must have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the firm”.

###### There should be at least one independent CRO on that board. Somebody who understands the risks of the industry

Craig Spielmann, RiskTao

Some banks clearly meet those requirements. Linda Bammann, a former deputy head of risk management at JP Morgan, leads its risk committee. At Credit Suisse, Andreas Gottschling, ex-CRO at the Erste Group, fulfils that role. Two other banks also have CROs on their committees: Bank of America has Thomas Woods, former CRO at CIBC, while RBS has Morten Friis, former CRO at Royal Bank of Canada.

The level of risk management expertise on the committees of other banks is harder to gauge. For instance, Bank of America says in its proxy statement that “all committee members satisfy the risk expertise requirements for directors of a risk committee under the Federal Reserve Board’s Enhanced Prudential Standards”. Its risk committee includes the former publisher of the largest Spanish-language newspaper in the US and an ex-Nasa scientist.

Jeremy Kress, a former Fed attorney who helped draft the rule, notes the regulatory language was drafted broadly so that different types of risk management experience could qualify. “You would expect that someone who has worked as a CFO at a large financial institution would qualify, and that seems to be the vast majority,” he says.

There is a spectrum of views on the level of financial risk management experience that committee members must possess, and the benefits of seeking out candidates from outside finance. There is even debate over whether those from regulatory backgrounds qualify.

“Being a member of the Federal Reserve Board does not necessarily qualify you to be a member of the risk committee,” says Mark Carey, co-president of the Garp Risk Institute and a former Fed economist. “You could be somebody that spends all of their time on monetary policy and doesn’t know much about financial institutions. In contrast, if you have been deeply involved in banking supervision and regulation issues, maybe you are qualified.”

###### If the people who are receiving the information are not aware of the assumptions, it will be very difficult for them to ask the right questions

Evan Sekeris, Oliver Wyman

Anthony Santomero, a former president of the Federal Reserve Bank of Philadelphia, is on the risk committee of Citigroup, while Elizabeth Duke and Susan Bies, both former Fed governors, sit on the committees of Wells Fargo and Bank of America, respectively.

Others, however, say regulators bring an understanding of the intricacies of policy, and committees can benefit from that first-hand knowledge.

Moore says the chairman of Scotiabank’s risk committee, Tiff Macklem, a former senior deputy governor of the Bank of Canada, has been instrumental in bringing “a challenger function” to the bank’s risk committee, thanks to his different perspectives on risk management.

### Value of VAR

A risk committee not only needs to have an understanding of market, credit and operational risks, but also needs to be able to interpret and see behind metrics like value-at-risk, or VAR, and expected shortfall. Some believe that deeper knowledge of quantitative risk management is sorely needed on the committees – and missing in members who lack a risk background.

“What you see too often is a focus on simplistic metrics like VAR. These are meant to summarise the risk – but they come with assumptions, and if the people who are receiving the information are not aware of the assumptions, it will be very difficult for them to ask the right questions,” says Evan Sekeris, a partner at Oliver Wyman.

It typically falls to CROs to bring committee members up to speed – several of whom say they spend an inordinate amount of time at meetings clarifying the meaning of basic metrics such as VAR. For instance, committee members might assume, incorrectly, that VAR is equivalent to the maximum loss the bank could suffer, says a risk executive at a Swiss bank.

“A VAR of $30 million doesn’t mean the maximum you can lose is$30 million. It means every hundred days, you will lose at least $30 million – but you could lose a billion and still have a VAR of$30 million. When a new risk committee member joins, we spend a lot of time explaining what the risk measures mean.”

These tutorials, however, leave committee members in the peculiar position of having to evaluate the risk management practices of the very person they depend on to understand those practices. Invariably, the bank’s CRO is the principal conduit of information to risk committees, regardless of their make-up.

###### Being a member of the Federal Reserve Board does not necessarily qualify you to be a member of the risk committee

Mark Carey, Garp Risk Institute

One risk officer at a North American bank says he has a one-on-one discussion with his risk committee’s chair prior to each meeting, covering what’s the priority for each of them. At committee meetings, the CRO then presents an assessment of risks across the bank, including a high-level summary and an appendix that provides detailed analysis of key risks. The meetings typically run for one-and-a-half days, he says. At the end, business and risk specialists from the bank are brought in to discuss topics of particular interest to the committee.

How much information a risk officer gives a committee should be carefully balanced, says one CRO at a North American bank, as non-experts can easily be deluged with detail. Rather than providing voluminous commentary and tables, the CRO says he creates infographics that convey the key points.

“We want to present more signal and less noise. We try to provide enough information that the board can appropriately discharge their duties – which isn't to say it’s high-level,” he says. “We need to be careful of the perspective that more information represents better disclosure. That’s not the case, in my view.”

Others believe the committees don’t necessarily need to understand the intricacies of risk down to the desk level – but they do need to be able to ask the right questions. If they detect a pattern in a given set of transactions, they need to know enough to address it, and to evaluate the answers they're getting.

“I'm less upset that somebody doesn’t know how to do Greeks than if a head of a risk committee doesn’t know how to do risk at all, especially how to think about it strategically,” Carey, the co-president of Garp Risk Institute, says.

### Shifting skillsets

Carey’s stance nods to what many see as the changing role of the CRO function itself. Many argue it is increasingly likely the CRO of the future will have a stronger background in non-financial risk, given regulators’ tightening focus on the discipline, and a growing consensus that operational risks pose a bigger existential threat to banks than market or credit risk.

This focus also needs to be reflected in bank risk committees, CROs say. Op risk subcategories such as cyber and misconduct have taxonomies all their own, and justify, some say, a more varied range of expertise.

Op risks, and regulators’ response to them, can make or break a bank. For a long time, Wells Fargo was seen as one of the few US lenders to burnish its reputation in the years that followed the financial crisis; that changed overnight in September 2016, when Wells was found to have foisted ghost accounts on to unsuspecting customers for years, demolishing its corporate image and hobbling it with multimillion-dollar penalties.

The bank has responded at the board level. Wells now has risk subcommittees dealing with technology, information security, cyber risk, data governance and management.

Wells’s risk committee has seen substantial turnover since its phony accounts scandal came to light. Enrique Hernandez, CEO of a private security firm, stepped down as chairman of the risk committee and was replaced by Karen Peetz, the former president of BNY Mellon, in February 2017. Four others – including former US energy secretary Federico Peña and Lloyd Dean, CEO of Dignity Health – were removed from the committee. New members include Juan Pujadas, who led PwC’s US advisory practice until 2003 and was previously the CRO of Santander’s international investment banking arm from 1995 to 1998.

###### I remain convinced that risk committee directors are too busy to do their jobs effectively

Jeremy Kress, former Federal Reserve attorney

Wells Fargo is not the only bank to pay the price for failing to effectively manage the phalanx of so-called non-financial risks, such as fraud, cyber-attack and technology outages.

Earlier this year, the Commonwealth Bank of Australia was fined A$700 million ($515 million) – the biggest corporate settlement in the country’s history – for breaches of anti-money laundering and terrorist financing laws. A report published by the Australian Prudential Regulation Authority in May criticised the bank for overlooking non-financial operational, compliance and conduct risks as well as “cultural themes” that hurt the bank, even as its CRO presented the board with a picture of its financial risk.

Mark Lawrence, a former CRO at ANZ, says the board-level oversight of CBA was severely lacking. “The board just didn’t know what it didn’t know.”

At a Basel Committee on Banking Supervision forum for bank CROs held earlier this year, regulators made it clear they expect global systemically important financial institutions to focus more on just these sorts of risks, and several of those present indicated they were considering appointing heads of non-financial risk in response. Some banks have moved to reflect this in their risk committees too: Citigroup has a subcommittee on data governance, quality and integrity.

Sanjay Sharma, chairman of GreenPoint Global and a former CRO of global arbitrage and trading at RBC Capital Markets, says risk committee members should be selected for their expertise in both financial and non-financial risk. “Risk at banks is not just financial now,” he says. “You don’t need marquee names – what you need are technocrats.”

### Time-consuming process

Yet another issue is the amount of time a committee member has for the job.

“I remain convinced that risk committee directors are too busy to do their jobs effectively,” says Kress, the former Fed lawyer. “Many of these directors have full-time jobs. Most of them sit on at least one other public company board. How can we expect them to oversee risk at a $2 trillion organisation when they've got so much else going on?” Kress advocates limiting risk committee chairs to serving on no more than one other board of a public company, and having the Fed review the outside commitments of committee members. The quality of a bank’s risk committee could factor into the Fed’s new risk rating system for banks, he adds. Several people Risk.net spoke to for this article stress the need for greater independence by risk committee directors. Even if they meet statutory requirements for independence, they may still have deep ties to the companies they’ve worked at in the past, as well as other types of conflicts. “You could be completely independent under that rule, but if you were college roommates with the CEO and have served on boards together, maybe that’s not as independent as it looks,” says a risk management consultant. Back to top Editing by Joan O’Neill Back to top # Ex-CROs lacking on bank risk committees By Steve Marlin | News | 25 June 2018 Only four former CROs are members of committees at 15 large banks, same total as 2012 An analysis of 15 large banks reveals only four have former chief risk officers (CROs) with large bank experience as external members of their board risk committees – the same number as in 2012, when Risk.net undertook a study of committees at the same firms. Risk.net’s updated study – which will be published online later this week – shows many of the committee members from 2012 are still there, and, while they bring impressive CVs, few have passed through the ranks of banks’ financial risk management divisions. That is despite a requirement from 2014 for US banks to appoint at least one external member with a background in risk management at large and complex financial institutions. “While there has been some progress, there is still a struggle to have risk experts on risk committees,” says Marcelo Cruz, managing partner at risk consultancy Yacamy Advisors, and former CRO of mortgage service provider Ocwen. Many banks have increased the size of their risk committees. All told, there are currently 82 members at the 15 banks, versus 75 in 2012. Three committees have the same chairman as they did in 2012: Frank Bramble at Bank of America; Anthony Santomero at Citi; and David Sidwell at UBS. Frontline risk management experience among the committees appears to vary widely. Many boards have current and former senior executives from financial services, such as chief financial officers (CFOs) and CEOs, as well as ex-regulators. There are also a number of executives from non-financial industries, such as petroleum, technology, pharmaceuticals, consulting, publishing and defence. Risk governance is attracting greater regulatory scrutiny. The US Federal Reserve’s enhanced prudential standards, in effect since 2014, stipulate risk committees should include “at least one risk management expert having experience in identifying, assessing and managing risk exposures of large, complex financial firms.” Bank of America and JP Morgan have a former CRO or equivalent on their committees. Citi has Michael O’Neill, a former CFO of Bank of America. Goldman Sachs has David Viniar, its former CFO. Morgan Stanley has the former CEO of Wellington Management, an asset management firm, as its risk committee chairman. Wells Fargo has the former president of BNY Mellon as its risk committee chairman. ###### You don’t necessarily need CROs, but true risk professionals are the most desirable category Former bank CRO Regulators in other jurisdictions have similar requirements, but the language is somewhat softer than the Fed rule. The European Banking Authority, under guidelines issued in 2017 implementing the European Union’s Capital Requirements Directive IV, requires that “members of the risk committee should have, individually and collectively, appropriate knowledge, skills and expertise concerning risk management and control practices”. Similarly, the UK’s Financial Conduct Authority requires that “members of the risk committee must have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the firm”. One challenge to having more CROs serve on risk committees is the scarcity of candidates who are willing and able to serve on boards. Compared with other C-level executives, such as CFOs and chief operating officers, CROs are in relatively short supply, observers point out, because that title hasn’t existed as long. However, this doesn’t preclude having senior risk executives who have worked a rung below the CRO level. By relaxing the criteria slightly, the pool of available candidates could be greatly expanded. “You don’t necessarily need CROs, but true risk professionals are the most desirable category,” says one former bank CRO. “The second category is front-line risk takers who understand the risk of the markets or of credit. There are hundreds of business heads and divisional risk managers. “ Editing by Tom Osborn and Kris Devasabai # Has op risk capital peaked for US banks? By Tom Osborn | News | 25 June 2018 Analysts expect steady fall in biggest banks’$1.4 trillion in RWAs

Operational risk capital – for so long the bane of big US banks – may finally have passed its high-water mark, as the pace of fines racked up for crisis-era misdeeds starts to abate.

Three of the big five US banks reported falls in operational risk-weighted assets (RWAs) during the first quarter of 2018: at Citi, the drop was $2.5 billion; at Goldman Sachs it was$3.3 billion; at Morgan Stanley, $178 million (see figure 1). The totals for JP Morgan and Bank of America Merrill Lynch were both static. Op risk capital experts say the falls are not due to large losses dropping out of the data histories used in bank capital models – instead, it is because these losses are now happening less frequently. “As we move away from the crisis, more benign losses are coming in that are essentially rebalancing your data set,” says one bank lobbyist. A senior op risk practitioner says this should produce a gradual slide in capital for most large US banks: “As long as the economic environment remains good, and losses remain in the ‘normal’ range – which is non-crisis-era-sized losses – we should observe a continuous erosion of that number. It’ll be a slow erosion – up to 0.5–1% each quarter at most – but it could keep going for some time, as banks readjust their internal loss frequencies.” The latest quarterly falls continued a recent trend. In total, op risk RWAs for the big five US banks have fallen by roughly$30 billion since peaking at just under $1.5 trillion at the end of 2015. For the industry as a whole, publicly reported op risk losses peaked at$95 billion in 2014, according to data from ORX News – in 2017, the loss total was $23 billion (see figure 2). If op risk capital has peaked, it will be welcome news for bank chiefs, who had been frustrated by their inability to do anything about the growing capital burden. Jamie Dimon, JP Morgan’s chief executive, famously called for op risk capital rules to be “significantly modified, if not eliminated” in his annual letter to shareholders last year. Unlike market and credit risk, banks can do little to manage down their op risk capital once losses have occurred – regulators do not allow big events to be ‘forgotten’ unless there are exceptional circumstances, such as the full divestment of a business entity. In Switzerland, the domestic supervisor, Finma, this year allowed Credit Suisse to cut$11 billion in RWAs to divested businesses, such as its US private bank – but experts say the US Federal Reserve is not likely to follow suit.

“Any loss that’s in your database has to remain there forever. You’re not going to see them doing something like they did in Switzerland for Credit Suisse,” says the senior op risk practitioner.

The models themselves may also be frozen in time. Even though the loss data is changing, the Federal Reserve is said to have no appetite to review and approve substantial alterations to the models, given the advanced measurement approach (AMA) regime is due to be scrapped and the models replaced.

“The US is not revising or reviewing AMA models anymore. At most, they'll consider very small revisions, as long as they do not result in any meaningful change to your RWAs,” says one person familiar with the supervisor’s thinking.

The Fed declined to comment.

### Less-frequent catastrophes

So, what is driving the falls? The three banks that saw first-quarter falls offer similar explanations. Citi says it stemmed from “changes in operational loss severity and frequency”, while Morgan Stanley says it was due to “a reduction in the internal loss frequency related to litigation utilised in [its] operational risk capital model”. Goldman’s chief financial officer, Marty Chavez, said during the bank’s earnings call that it had seen a “continuing roll-off” in operational RWAs, but did not say why.

Most US banks employ a so-called loss distribution approach (LDA) to calculating op risk capital. This is dominated by two components: the severity of losses a bank has suffered, and the frequency with which they occur. When a bank suffers a record loss, the upper bound of its loss distribution gets pushed out further.

A bank’s loss frequency is measured as the number of annualised loss events it has suffered above a given threshold. Banks can set this threshold where they like, provided their regulator agrees. Citi, for instance, is understood to set its threshold at $20,000 – meaning losses under this amount will not be factored into its AMA model. Citi did not comment when approached. Op risk loss events fall into two broad categories: low-frequency, high-impact losses, such as large regulatory fines or rogue trading losses; and high-frequency, low-impact losses, such as relatively low-level thefts or frauds still large enough to trip a bank’s threshold. ###### As we move away from the crisis, more benign losses are coming in that are essentially rebalancing your data set Bank lobbyist Under the LDA, individual losses do not get averaged, explains one op risk quant; rather, banks take an annualised moving average of their loss frequencies over a given time horizon – typically three years – with the total sum of loss severities within the sample then used to estimate required capital. This procedure is repeated at least a thousand times, with the top 1,000th sample by size, measured to a 99.9% confidence level, the one that gets used – a very conservative measure. For the three banks in question, the largest event in their respective loss histories is likely to be the settlement they reached with US authorities over the misselling of mortgage-backed securities during the 2000s. Citi settled at a cost of$7 billion in 2014; Goldman, $5 billion in 2016; and Morgan Stanley$3.2 billion.

“Regulators have made it clear over and over again that banks must use ‘fat-tailed’ distributions in their op risk models to be able to capture large losses,” says one op risk quant. “The larger the losses, the ‘fatter’ or more ‘heavy-tailed’ the distribution. Distributions that are commonly used in op risk modelling are much wider than those used in market and credit risk modelling.”

This highly conservative approach means banks have to retain outsize loses; their LDA model’s loss distribution will be skewed by their severity. But the frequency component of the LDA model means they are not the only determinant of a bank’s op risk capital. As new data gets added to a bank’s rolling average of annualised loss frequencies, those outsized losses look less and less likely to recur.

This smoothing effect will translate into a gradual roll-down of RWAs, providing no new clusters of large losses are added.

###### The high-impact losses are still happening, but there are fewer of them, too, particularly fines

Bank lobbyist

“As the new data comes in, you use the same models, but you recalibrate them with the new quarters of data. And the recalibration is basically telling the model that the frequency of loss events is going down,” says the op risk quant. “That makes especial sense for Morgan Stanley and Goldman, which only became Fed-regulated in 2008. Their data sets are shorter than, say, Bank of America’s; it means their data was heavily skewed by data from the crisis.”

Provided the three banks in question have not adjusted their rolling average time horizon, then the decreases they each saw in the first quarter are likely to point to a decrease in loss frequencies. Citi, for instance, is understood to have seen around a 50% drop in op risk events triggering its loss threshold in the past couple of years.

“I don’t know if [the three banks] have revised those time periods. If that time window has been stable, then any fall in RWAs likely points to a fall in the frequency of loss events – probably high-frequency, low-impact losses. That has a relevant impact. The high-impact losses are still happening, but there are fewer of them, too, particularly fines,” says one bank lobbyist.

If the Fed decided to turn away requests for AMA changes, however, the best banks can hope for is a gradual roll-down in RWAs, rather than any dramatic falls.

“There’s an understanding that some banks’ models need some sprucing up right now – data has changed and all that – but it would take too much time to review them,” says the bank lobbyist. “And since the AMA is basically dead, why spend any more time and precious resources reviewing something we know you can only use for a certain amount of time? So you might as well just use what you have now, even if it’s imperfect.”

Morgan Stanley declined to provide a comment. Goldman did not respond to a request for comment.