Customers: B&N Bank Moscow; Financial Services, Investments and Auditing Contractors: SAS Russia Product: SAS Enterprise Risk ManagementProject date: 2010/03 - 2010/04
|
Questions of risk management in banks came to the forefront during the global economic crisis which in many respects became result of the fact that financial companies incorrectly assessed the consequences of these or those actions. Regulating authorities of a number of the countries raised requirements to banks and credit institutions in respect of accounting of risks that promoted implementation of the special solutions automating risk management processes and reducing the level of their impact on activity of financial companies. One of the first Russian banks which successfully coped with this task, having implemented the solution of the leading world system provider of risk management – SAS company, – there was a B&N BANK. The director of the department of risks of B&N BANK Pavel Samokhvalov shared the experience and told about features of the project and results of implementation in bank of the solution SAS OpRisk Management.[1]
Pavel, in your opinion, how actively today the Russian banks apply technological solutions to risk management?
Pavel Samokhvalov: The situation significantly differs from bank to bank. In general, probably, so far such systems are not really widespread. Not all credit institutions are able to afford purchase of such systems as qualitative solutions for risk management cost expensive, but it is absolutely justified. Large banks, especially those who were engaged in the technical retrofitting recently delivered themselves such solutions or are in process of implementation. It is clear, that credit institutions with the western capital are more equipped with necessary technology products. Other Russian banks resolve an issue of acquisition or of failure from solutions in the field of risk management, proceeding from the level of a maturity of the specific organization – a maturity of IT infrastructure and a maturity of a system risk management in terms of its regulations and methodology.
Whether the modern bank can do without specialized technological solutions for risk management?
P.S.: Risk management systems traditionally do not carry to number of mission critical, such, for example, as the core banking system, solutions for drawing up the obligatory reporting, etc. However the fact that risks need to be managed and to manage qualitatively, towards the end of 2008 all participants of financial market realized absolutely clearly. It became clear that not enough attention was paid to questions of risks. It is interesting that in this direction between us and the West there is a big difference. If in Russia risk management in general really were not engaged in creation of a system, then in the West where this segment is developed rather well, beforehand prevented risk analytics of many banks about dangers of risky financial policy. However crisis effects with an identical force felt the countries of all continents. The policy of managers of the largest western banks who in a pursuit of profit preferred not to draw of due attention to warnings risk analysts was the reason for that.
What became for you incentive motive for implementing solution on operational risk management?
P.S.: Operational risks least give in to the standardized accounting. Credit risks, market risks have quite clear criteria for assessment of probability of their approach and possible results. The nature of operational risks differs in versatility and with respect thereto their assessment represents an uncommon task. Losses from these risks can suddenly arise, and the volume of these losses can be absolutely uncontrollable. It is possible to select several "generators" of emergence of operational risks: it and business processes of bank (in other words, the errors connected with the wrong organization of business processes with insufficient internal control of business processes); very important segment of risks is connected with activity of employees of the bank (errors, incompetence, internal fraud); work of information systems of bank also contains layer of the possible risks connected with failures in work, failure of the equipment, etc. It is impossible to dismiss also external factors: unauthorized impact on business processes, plunder of assets and fraudulent activity of the third parties. All this set enough different factors belongs to operational risks.
To understand the level of potential impact of operational risks on activity of bank and on the volume of its capital, it is necessary to create qualitative and representative base of the incidents connected with these risks. And this base should gather for a long time, at least two-three years that will allow to analyze incidents and the reasons of their emergence with sufficient degree of reliability. The most convenient method of creation of such base – professional solution which collects a part of data in the automatic mode and provides to employees of the bank a user-friendly interface for input and validation of information on incidents.
If there is no such professional solution, collection of information about incidents is performed on the basis of periodic reports of divisions of bank. Such approach has a number of shortcomings. The analysis of accumulated information is made after the incident after a while that complicates obtaining the additional information in this or that case. By the time of data entry in a system (in a month, and even it is more) details are forgotten, necessary data are entered in a form incorrectly. Taking all this into account, inevitably you come to understanding that creation of qualitative base of incidents requires professional solution. which allows to register incidents in the system. It gives the chance to quickly take measures for decrease in probability of repeated emergence of the most dangerous events, to carry out the assessment of business processes on the basis of analytical base of the saved-up incidents, etc. It is also possible to create also the system of indicators of risks which will allow to define further, this or that business process how regularly is implemented.
Professional solution includes the block of reports and the analytical tool allowing not only to see the current digits, but also to construct the reasonable forecast. For risk managers important that in a system it is possible to build reports on any set of indicators and it will not be required to use specialists of IT for development of such reports. A logical conclusion of an end-to-end system of operational risk management is the module of calculation of level of an operational risk in terms of money and the capital under an operational risk advanced metodom*.
In fact, those opportunities which I listed are basic functional requirements of an oeprational risk management system.
Besides, it is important that the Bank of Russia as the regulator of the Russian banking market repeatedly declared the aspiration to be guided in the activity by internationally accepted principles, in particular the recommendations of Basel committee. And in a complex of recommendations Basel II it is said that banks should estimate the risks independently. We counted that load of the regulatory capital when using of advanced approach in comparison with traditional can differ for tens of millions of dollars! At the same time for assessment of the risks properly it is necessary to have qualitative data. We considered all these factors, making the decision on acquisition of a system for operational risk management.
When did you begin work on the project on system implementation?
P.S.: To consider depending on what the beginning. The first that we made, – in 2010 within a month created a command which had to be engaged in implementation of an effective system. In structure of our department management of operational risks was created. A month more left on formulating and preparing justification for implementation of an industrial oeprational risk management system which was provided to bank board. Then the stage of the choice of a system followed. We studied the market of products on operational risk management, developed tender conditions, defined top level functional requirements to a system, security requirements of data from NSD, requirements to integration of a system into IT infrastructure of bank. It took us about three more months. The SAS company became the winner of the tender for delivery of an oeprational risk management system. Two more months the bank spent for detailing and approval of business requirements to a system. We had very clear idea of what we want to receive finally therefore we submitted requirements to structure of data necessary for us, to communications which we would like to see between different elements of a system, to modules which we would like to set and update further. Our business requirements, completely entered one of annexes to the agreement on system implementation. It is very important element of the project which, in fact, defines its success. After signing of the contract works on system implementation which took three months began. Thus, if to speak only about implementation, it took place very quickly, but it was preceded by months of thorough training. In December, 2010 a system was put into commercial operation.
What resources were involved in work on the project from bank and from the contractor?
P.S.: From bank eight people were involved in work on the project in total. On a permanent basis – two, it is the staff of Department of risks, and the chief of the department of operational risks was a project manager and was responsible for result.
As far as you are satisfied with the received result?
P.S.: The received result inspires optimism: the stated functionality of a system is completely provided, the flexibility of a system gives ample opportunities for implementation new and optimization of the operating settings. We are at the initial stage of operation, and we still should estimate all its opportunities fully.
Whether you are going to expand a range of the tasks solved using this system or to implement some other solutions of SAS?
P.S.: All solutions of SAS on operational risk management are modular and enter a complex which is called SAS Risk Management for Banking. It also includes solutions for management of credit, market risks, a liquidity risk (within the module ALM). There is even a special module Firmwide Riskmanagement which allows to integrate information on all risks of bank in uniform base and to calculate risk level which bears bank in general in all directions, taking into account correlation different risk factors among themselves and other nuances. The decision on need of acquisition of these systems will be made according to our perspective requirements.