Industry initiative of the year: ABA and MStar

It’s a problem that has dogged banks since the inception of the US’s Annual Comprehensive Capital Analysis and Review (CCAR) stress-testing programme: if capital requirements are set based partly on how banks measure and put a price on future uncertainty using idiosyncratic techniques such as scenario analysis, is it fair to compare outputs?

From this problem was born a project spearheaded by the American Bankers Association (ABA), which is in the second year of an effort to create standardised scenarios for measuring the losses banks suffer due to hacking incitements, insider theft and system failures.

The objectives of the project – which is based on the Mstar risk mapping tool from French software provider Elseware – are to: build a shared classification of cyber risks; define common cyber risk scenarios; and benchmark assumptions and results.

“The ABA/Mstar cyber risk modelling project marks an important turning point for operational risk quantification by transforming a complex risk quantification concept into a set of risk assessment tasks, then reconstructing them into a model to achieve the quantification outcome,” says a senior operational risk quant at one of the participating banks.

The identification of risk drivers and introduction of peer benchmarking help banks gain significant insight into their risk profiles, controls and risk mitigation effectiveness, which comprise essential information for improving risk management.

The project is a step in the direction of providing banks with a way to model cyber risks – something that’s proven elusive due to a dearth of historical data such as exists for market and credit risk. The wide disparity in practices has led to accusations of gamesmanship among banks, with those being ultra-conservative in estimating losses, partly to appease regulators, seeing a resultant drag on capital from the operational risk component of CCAR.

Recognising deficiencies in current quantification methodologies for cyber risk, ABA and Mstar launched the cyber risk modelling project at the beginning of 2019. The model views cyber risk along three dimensions: mode of attack; means of access; and assets.

The project is a step in the direction of providing banks with a way to model cyber risks – something that’s proven elusive due to a dearth of historical data such as exists for market and credit risk

The pilot provides a common scheme for classifying cyber incidents, which the Federal Reserve Bank of Richmond has been encouraging banks to do. Many banks employ scenario analysis to quantify large idiosyncratic risks as part of their operational risk capital and stress-testing processes.

The pilot has introduced the use of Structured Scenario Analysis (SSA), which significantly elevated the quality of the estimation for these risks. Using the data that’s collected, ABA and Mstar have built a set of scenarios from the point of attack, through the IT infrastructure, and towards the intended target. Computer simulations generate a distribution of potential tail events, in contrast to traditional outputs of single-point projections.

The full distribution of loss projections can be incorporated in regulatory exercises including stress-testing and capital planning.

“Rather than just look at history and come up with a point estimate of an event, it’s a way to capture everything you know about an uncertain future and project it out,” says Bob Davis, senior adviser at ABA. “Then you can do Monte Carlo simulations, shock the system and create a lot of outcomes.”

The pilot incorporates anonymised peer benchmarking of loss distribution results and the drivers. The benchmarking results are used by participants: to better understand their risk profiles compared with their peers; to challenge existing models or input from subject matter experts; and to identify additional controls or risk mitigation opportunities.

“This project fits into the trend of banks getting better quality input or to reduce costs. In a lot of areas where banks previously didn’t co-operate, they are now co-operating because it’s too costly to do on their own,” says Davis.

The project has created insights to help improve operational risk management. Risk drivers identified during the SSA exercise are categorised into exposure, threat, vulnerability, intensity, recovery and business buckets to enable relevant mitigation actions, such as segregating businesses to reduce the impact of an event, and developing metrics to monitor exposure, threat and vulnerability.

The Covid-19 pandemic has opened up a new set of threats that may prove harder to catch for normal IT controls, especially with people working remotely. This will be factored into the scenarios that banks are creating, says Davis: “When the scenario was developed, it didn’t explicitly look at risks that we know now from the pandemic. When the risk scenarios are re-evaluated, that will probably alter the way pandemic risk comes into these scenarios, or there might be specific pandemic scenarios.”

The SSAs have allowed participating banks to clearly identify the risk drivers that influence the exposure, occurrence and severity of risks, say project participants. They provide a transparent approach to evaluate the risks, which is a significant improvement from the existing method that relied primarily on expert judgement. The pilot project has provided participants with benchmarking information that explains how each individual bank calibrated the parameters relative to other pilot participants.

“The SSA pilot was instrumental in allowing us to bridge the gap between risk measurement and risk management,” says an operational risk executive at another participating bank. “As the method to measure operational risk evolves from backward-looking, loss data-driven models to scenario analysis-based estimations, so will the data that is at the core of these exchanges. This pilot demonstrates the significant benefits that can be achieved from developing this type of information exchange.”

The next step of the project is to provide the SSA tool to individual participants, which can then customise the drivers and scenario structures for their individual banks, with the ability to drill down to business line or legal entity levels and aggregation up to the enterprise.

An online portal, due to go live later this year, will house downloadable scenarios and benchmarking data.