Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 110

A possible approach for calibration relies on the analysis of the historical data of a selected KRI; the thresholds are then defined on selected percentiles of the value distributions. The percentile distribution approach is often considered a suitable option since it offers a dynamic risk factor assessment. The distribution is constantly updated as new data enters the dataset, thus allowing for a better representation of the evolution of the underlying risk factor.

Under an operational point of view, the percentile approach consists of three main steps:

1 Building of the dataset through the calculation of the KRI values (e.g. number of non-domestic customers resident in high-risk countries/total number of clients of all the legal entities within scope). It is important to leverage a sufficiently long set of reliable data series (for example, one large EU bank started with three years of data), to avoid having flat distributions potentially characterised by higher volatility; the resulting distributions may, in fact, lead to set thresholds that are triggered all too often.

2 Computation of the KRI distributionThe KRI dataset must then be sorted from the lowest to the highest value, typically having higher percentiles corresponding to riskier values.In order to avoid having too many outlier values, it is important to consider homogenous data for the sample; in case of too heterogeneous data, it could be worth dividing the distribution into sub-distributions based on the characteristics of data (e.g. dividing customers into financial institutions and corporates, or small and large customers). The thresholds shall then be calculated for each of the sub-distributions.

3 Choice of percentiles for limit, caution and target thresholdsThe limit threshold should be set to contain the extreme values observed in the distribution. Most often simulations and backtestings are run in order to estimate the frequency of breaches of the selected limit threshold: this, in fact, in business-as-usual conditions should be triggered only on rare and high-risk occasions. Nonetheless, percentiles are also typically set in accordance with the institution internal broader RAF methodology, in order to have a consistent approach for the various risks managed within the RAF.The caution threshold should be set considering two main aspects:i.How frequently, in history, the breach of the caution threshold then actually led to the breach of a limit threshold, in order to have a significative caution threshold breach.ii.How long would it take to implement timely risk mitigating actions: the threshold should thus be set in order to allow the respective function to undertake the remedial action in a timely manner.Finally, the target threshold should be set based on the risk appetite for the specific KRI that the control function, jointly with the first line, is willing to accept under business-as-usual conditions, and accordingly with overall risk appetite.