GARP 翻译： 管理操作风险的最佳工具

The Best Tool for Operational Risk Management

• Properly-executed case studies can help financial institutions ward off operational risk disasters. What should a good operational risk case study look like, and what lessons can we learn from the Samsung Securities “Fat Finger” incident?

---

• If you want to learn from the operational risk mistakes of others and prevent incidents that could severely impact your firm’s reputation and bottom line, then case studies are your best bet. An effective operational risk case study asks the right questions, details the consequences of the incident and offers suggestions for what could have been done to avert it.

• When we think of operational risk, fraud and information technology failures are likely among the first things that come to mind. But simple human errors are also part of the equation. Last year’s “Fat Finger” incident at Samsung Securities offers an excellent example of what a case study can teach us about human errors, poor oversight and system deficiencies.

• On April 6, 2018, Samsung Securities, one of the largest brokerages in South Korea, accidentally issued $105 billion worth of shares to its employees. Under the company’s stock ownership plan, it was supposed to pay dividends worth 2.8 billion won ($2.6 million) to about 2,000 employees. But a Samsung Securities employee mistakenly entered “shares” instead of “won” (South Korea’s currency) into the computer system, resulting in the issuance of 2.8 billion shares – more than 30 times the company’s number of outstanding shares.

• Although Samsung Securities discovered the incident 37 minutes after it occurred and notified the employees affected that the shares had been erroneously granted, some of them sold the stock, despite warnings from the company.

• What went wrong at Samsung Securities? Plenty. Let’s examine a case study model to break down the incident, its consequences and the lessons learned.

The Bow-Tie Model

• Good case studies can either be outsourced or written internally, based on public resources. One of the most popular and effective approaches to operational risk case studies is the bow-tie model, which (1) explains the underlying causes, motives, opportunities and means that are at the basis of the incident; (2) thoroughly describes the incident itself; and (3) breaks down the consequences, including direct and indirect loss amounts.

• The bow-tie model can certainly help us understand what happened at Samsung Securities, and can also yield ideas on preventing similar incidents from unfolding in the future. The “fat finger” incident happened in just a fraction of a second – an errant keystroke resulting in the issuance of an extremely costly and grossly erroneous dividend. The underlying causes include poor supervision, ineffective internal controls and inadequate regulatory monitoring.

• The model also yields a series of probing questions about the incident: Why was one person allowed to initiate and authorize this transaction? Why did there appear to be no segregation of duties? Why didn’t the IT system block the issuance and distribution of an extraordinary number of shares? And why wasn’t the naked short-selling immediately prevented?

• The consequences of this blunder were manifold. Analysts criticized the firm for having neither a filtering system for preventing human errors nor a warning system that could have stopped the issuance of more shares than actually existed.

• The Financial Supervisory Service, South Korea’s financial watchdog, found that 21 employees of Samsung Securities had either sold or attempted to sell the mistakenly-issued shares. All 21 lost their jobs, and several are facing criminal charges.

• The National Pension Service, South Korea’s biggest pension fund, stopped using Samsung Securities to trade stock almost immediately after the incident. Roughly seven weeks later, South Korean prosecutors raided the broker’s head office, which precipitated the partial suspension of its brokerage services and the resignation of its CEO.

Unique Challenges

• Operational risk is different from – and I think more difficult to manage than – credit risk and market risk. One reason is that it can arise anywhere in the organization – from commercial units, to brick-and-mortar bank shops, to support functions and IT systems.

• Its impact, moreover, is difficult to quantify. Keep in mind that the advanced modeling approach to measuring operational risk has been eliminated, while the new benchmark – the standardized measurement approach – has drawbacks of its own.

• While banks use databases to collect and store data on operational risk incidents, it is difficult, in practice, to extrapolate from these past occurrences – particularly with respect to quantifying losses.

• Indeed, a bank’s own incident database provides only a very limited view of its current operational risk exposure. The incident data that is collected is typically the result of a stochastic process, and therefore not necessarily commensurate with a firm’s operational risk exposure to specific event types.

• The operational risk case study is the go-to methodology for overcoming this randomness bias. It expands the experience from learning from one’s own errors to learning from errors made by others. While reading detailed accounts of incidents that happened elsewhere, operational risk managers may very well ask themselves questions that will help them avoid similar mistakes: Could this happen at our firm? If it does, what would I do? And what specific steps can our organization take to prevent this from happening?

---

Parting Thoughts

• Case studies are among the biggest assets in the operational risk manager’s toolkit. When we analyze the case study of the Samsung Securities “fat finger” incident, important questions are triggered. Why, for example, weren’t checks and balances in place to prevent this stock pay-out from happening? Why wasn’t the employee alerted that a payout of 1,000 shares per share is extraordinary? And why didn’t IT controls prevent the illegal naked short-selling?

• A more fundamental question relates to the irresponsible behavior of the 21 employees who attempted, illegally, to benefit from the “fat finger” blunder.

• How would your employees behave under a similar scenario? Case studies provide the answers every firm needs to avoid being the next poster child for operational risk disaster.

Marco Folpmers (FRM) is a professor of financial risk management at Tilburg University. He is also a managing director at Accenture Finance and Risk.

---

操作风险管理的最佳工具

• 执行得当的案例学习可以帮助金融企业避开操作风险的灾难事件。那么，一个成功的操作风险案例研习应该是如何进行的？我们又能从三星证券的“胖手指”事件当中学习到什么？

---

• 如果你想要从其他人的操作风险失误中吸取经验，并且阻止能够严重影响公司声誉以及底线的事件发生，那么案例学习必不可少。一个有效的操作风险案例学习必须询问正确的问题，就事件结果的细节要明确，并且提供如何规避的意见。
• 当我们想到操作风险，欺诈以及信息技术失败就第一时间浮现于我们脑海，但是个体的失误同样也是其中的一个组成部分，去年的“胖手指”事件发生于三星证券就是一个极佳的案例，这个案例教会我们关于个体的失误，系统的缺陷，低质量的审查。
• 2018年4月6日，三星证券，南韩最大的经纪企业，不小心发行了1050亿价值的股份给予员工。在公司股权计划中，原本应该是支付价值280亿，相当于260万美金给予约2000名员工。但是一个三星证券的员工误输入shares 替代应该输入的won（韩国的货币）进入了计算机系统，导致了发行了280亿股票，超过了公司现有流通股约30倍。
• 尽管三星证券在37分钟后发现了事件，并且通知了相关员工这些股份是被错误的授权了，但是一些员工依然无视公司的警告，售出了这些股份。
• 三星证券具体错在哪里了？非常非常多，让我们应用案例研究的模型，来分析这个事件，它的结果，以及应该吸取的教训。

领结模型

• 优秀的案例研究可以又内部书写完成，也可以基于公共资料，由外部人士书写。一个最流行且有效的方式进行案例研究是领结模型：
  • 解释了基于事件发生的潜在原因，动机，机遇和方法
  • 彻底描述了事件本身
  • 详细拆解了最终的后果，包括直接损失以及间接损失。
• 领结模型可以帮我们理解三星证券到底发生了什么，同时也可以提供阻止未来此类事件继续发生的建议。“胖手指”事件的发生仅仅经历一个很短的时间，一个击键的错误导致了及其严重的错误派息。其潜在的原因在于监管的薄弱，不有效的内控制度，以及监管监测的不充分。
• 这个模型同样衍生出一系列关于事件的可探讨问题：为什么一个个体可以允许发起并授权这样的交易？为什么没有出现职责的隔离？为什么IT系统没有阻止一个明显巨大的股份的发行和散播？为什么裸卖空交易未能被及时阻止？
• 这样的失误的后果是多样性的。分析师职责公司没有一个筛选系统去阻止人为失误也同样没有一个预警系统去阻止发行超过现有存在股份的交易。
• 南韩的金融监管机构发现，21名三星证券的员工要么售出货这企图售出被误发行的股份。所有21人都失去了他们的工作，甚至其中几个还将面临刑事指控。
• 韩国国家养老金机构，国家最大的养老金基金，停止使用三星证券去交易股票当此次事件发生之后，7个周之后，韩国检查机关突击检查了该经纪公司总部，造成了部分经纪服务的暂停，以及CEO的最终辞职。

特别的挑战

• 操作风险区别于，甚至于我认为更加难于管理，相对信用风险以及市场风险来说，其中一个理由是，它可以在公司的任何一处发生，从商业单元，IT系统，支援部门，银行营业部。
• 操作风险的影响也更难量化。请牢记，先进的模型方式去评估操作风险已经消失了，同时新的标准–标准衡量法，有其自身的缺陷。
• 当银行使用数据库来收集存储操作风险事件，在实操中，很难使用这些数据去推断，尤其是涉及到量化损失的情况。
• 确实，一个银行自身的事件数据库，仅仅反应了有限的一部分操作风险暴露的现状，事件数据的手机是一个典型的随机过程的结果，因此，不一定与该公司在特定事件类型下的操作风险暴露能够相吻合。
• 操作风险的案例研究可以克服这样的随机偏差。它从别人的失误中吸取经验。当操作风险经理在阅读风险事件发生的细节时，向自身询问以下问题能够帮助他们自己回避相类似的错误：这类事件是否会发生在我公司？如果会，我会怎么做？哪些具体的措施步骤需要被采纳才能避免此事发生？

---

部分想法：

• 案例分析研究是操作风险经理工具中最重要的组成部分。当我们分析三星证券“胖手指”事件时，重要的问题被触及引发出来：为什么，比如说，监管和平衡措施没有阻止错误的股票支付？为什么员工没有意识到，支付1000股票每股是非常怪异的？为什么IT控制部门阻止非法的裸卖空？
• 一个更基本的问题涉及到21名不负责任的员工的企图非法的从“胖手指”事件中获利的行为。
• 当你的员工处于相似境遇下会如何表现，案例研究报告提供了每家公司企业所需的避免成为下一个操作风险事件海报的答案。