Structural Modelling of Operational Risk in Financial Institutions: Application of Bayesian Networks and Balanced Scorecards to IT Infrastructure Risk Modelling Inaugural-Dissertation zur Erlangung des Grades Doctor oeconomiae publicae (Dr. oec. publ.) an der Ludwig-Maximilians-Universitat Miinchen vorgelegt von Irina Starobinskaya Jahr: 2008 Referent: Prof. Stefan Mittnik, Ph.D. Korreferent: Prof. Dr. Andreas Richter Promotionsabschluftberatung: 16. Juli 2008
Contents I Introduction 1 1 Introduction and outline 3 1.1 Introduction and motivation 3 1.2 Research objectives and scope of the thesis 4 1.3 Outline of the thesis 6 II Theoretical background 9 2 Operational risk 11 2.1 Operational risk: Definitions 11 2.2 Developments in regulatory requirements for operational risk modelling: The Basel II Accord and The Sarbanes-Oxley Act 13 2.2.1 The Basel II Accord 13 2.2.2 The Sarbanes-Oxley Act 16 2.3 Review of existing methods for modelling operational risk 17 2.3.1 Methods based on historical data 19 2.3.1.1 Actuarial models: Loss Distribution Approach 20 2.3.2 Methods based solely on expert knowledge 22 2.3.3 Methods based on a combination of historical data and expert knowledge.. 23 2.4 Problems and challenges of modelling operational risk 23
2.4.1 Data insufficiency problem 24 2.4.2 Modelling dependencies 25 3 Bayesian networks 29 3.1 Introduction to Bayesian networks 29 3.2 Core concepts of Bayesian networks 30 3.2.1 Introduction to the graph theory 30 3.2.2 The Bayes' theorem and probability calculus 33 3.2.3 Conditional independence, d-separation and formal definition of the Bayesian networks 35 3.3 Quantification of Bayesian networks 37 3.3.1 Algorithms for learning Bayesian networks from data 37 3.3.1.1 Known structure and full observability 38 3.3.1.2 Known structure and partial observability 39 3.3.1.3 Unknown structure and full observability 40 3.3.1.4 Unknown structure and partial observability 42 3.4 Inference algorithms for evaluation of Bayesian networks 42 3.4.1 Exact inference algorithms 43 3.4.2 Approximate inference algorithms 45 3.5 Evaluating quality of Bayesian network models 46 3.5.1 Logarithmic score 47 3.5.2 Model assessment 47 3.5.3 Diagnostic monitors 48 3.6 Application areas of Bayesian networks 49 3.7 Advantages and limitations of Bayesian networks as a risk modelling tool 50 4 Balanced Scorecards 53
4.1 Introduction to Balanced Scorecards 53 4.2 Core concepts of Balanced Scorecards 54 4.2.1 Basic principles of Balanced Scorecards 54 4.2.2 Four perspectives of Balanced Scorecards 56 4.2.3 Causality concept in Balanced Scorecard framework 58 4.3 Designing a Balanced Scorecard 60 4.4 Application areas of Balanced Scorecards 64 4.5 Advantages and limitations of Balanced Scorecards as a risk modelling tool 65 5 Expert knowledge elicitation 69 5.1 Introduction to expert knowledge elicitation 69 5.2 Elicitation process 70 5.2.1 General principles of the elicitation process 70 5.2.2 Elicitation protocols 71 5.2.3 Expert interviews and questionnaires 73 5.3 Important facets and pitfalls of the elicitation process 76 5.3.1 Necessary conditions for effective elicitation 76 5.3.2 Consistency of expert estimates 77 *5.3.3 Biases of expert estimates 78 5.4 Validation of expert estimates 79 III Application case study 83 6 IT infrastructure risk 85 6.1 IT risks 85 6.2 IT infrastructure 87 ix
6.2.1 IT infrastructure: definition and its role in risk generation 87 6.2.2 Technical aspects of IT infrastructure risk 89 6.3 Assessment of IT infrastructure risk 91 6.3.1 Reliability, availability and maintainability analysis 91 6.3.1.1 Basic principles 91 6.3.1.2 RAM metrics 92 6.3.2 Financial losses assessment 95 7 Models construction 99 7.1 Risk mapping 99 7.2 Constructing a Bayesian network model 100 7.2.1 Modelling the network structure 102 7.2.1.1 Frequency network 102 7.2.1.2 Severity network 106 7.2.1.3 Model structure validation 109 7.2.2 Quantification of the network 109 7.2.2.1 Frequency network 110 7.2.2.2 Severity network Ill 7.2.3 Convolution of the frequency and severity distributions 114 7.2.4 Maintaining the network '. 118 7.3 Constructing a Balanced Scorecard model 118 7.3.1 Combining Balanced Scorecard and Bayesian network models 118 7.3.2 Balanced Scorecard perspectives and indicators 119 7.3.3 Balanced Scorecard representation of IT infrastructure risk 120 8 Results and applications 125
8.1 Bayesian network model - Simulation results 125 8.1.1 Descriptive statistics 125 8.1.2 Risk metrics 126 8.2 Updating the Bayesian network given event evidence 127 8.3 Managing operational risk with a Bayesian network model - Scenario analysis... 128 8.3.1 Scenario 1 - Impact of adverse conditions 130 8.3.2 Scenario 2 - Impact of dependence structure 131 8.3.3 Scenario 3 - Impact of additional employee training 133 IV Conclusion 135 9 Summary and conclusion 137 9.1 Summary of the thesis 137 9.2 Further research questions 139 9.3 Conclusion 140 V Appendices 141 A Prior probability distributions 143 B Posterior probability distributions 145 C Monte-Carlo convolution procedure 147 Bibliography 150