Operational Risk Management
Basic Approach
We define operational risk as the risk of loss that we may incur resulting from inadequate or failed internal processes, people and systems or from external events. We recognize that operational risk includes information technology risk, operations risk, legal risk, human resources risk, tangible asset risk, regulatory change risk and reputational risk. We have determined risk management policies concerning risk management structures and methods for each kind of risk. MHCB, MHBK, MHTB, MHSC, MHIS and TCSB respectively manage operational risk in an appropriate manner pursuant to risk management policies determined by MHFG.
Operational Risk Management Structure
MHFG, MHCB, MHBK, MHTB, MHSC, MHIS and TCSB share common rules for data gathering, and we measure operational risk on a regular basis, taking into account possible future loss events and the changes in the business environment and internal management.
We have established and are strengthening management methods and systems to appropriately identify, assess, measure, monitor and control the operational risks which arise from the growing sophistication and diversification of financial operations and developments relating to information technology by utilizing control self-assessments and improving measurement methods.
- Operational Risk Management Structure
Definition of Risks and Risk Management Methods
As shown in the table below, we have defined each component of operational risk and we apply appropriate risk management methods in accordance with the scale and nature of each risk.
| Definition | Principal Risk Management Methods | |
|---|---|---|
| Information Technology Risk | Risk that customers may suffer service disruptions, or that customers or the group may incur losses arising from system defects such as failures, faults, or incompleteness in computer operations, or illegal or unauthorized use of computer systems. |
|
| Operations Risk | Risk that customers may suffer service disruptions, as well as the risk that customers or the group may incur losses because senior executives or employees fail to fulfill their tasks properly, cause accidents or otherwise act improperly. |
|
| Legal Risk | Risk that the group may incur losses due to violation of laws and regulations, breach of contract, entering into improper contracts or other legal factors. |
|
| Human Resources Risk | Risk that the group may incur losses due to drain or loss of personnel, deterioration of morale, inadequate development of human resources, inappropriate working schedule, inappropriate working and safety environment, inequality or inequity in human resource management or discriminatory conduct. |
|
| Tangible Asset Risk | Risk that the group may incur losses from damage to tangible assets or a decline in the quality of working environment as a result of disasters, criminal actions or defects in asset maintenance. |
|
| Regulatory Change Risk | Risk that the group may incur losses due to changes in various regulations or systems, such as those related to law, taxation and accounting. |
|
| Reputational Risk | Risk that the group may incur losses due to damage to our credibility or the value of the "Mizuho" brand when market participants or others learn about, or the media reports on, various adverse events, including actual materialization of risks or false rumors. |
|
We also recognize and manage "Information Security Risk" and "Compliance Risk", which constitute a combination of more than one of the above components of operational risk, as operational risk.
Measurement of Operational Risk Equivalent
Implementation of Advanced Measurement Approach
We have been implementing the Advanced Measurement Approach (AMA) from September 30, 2009, in place of the gross profit allocation approach (The Standardized Approach (TSA)) that we had been using previously, for the calculation of operational risk equivalent in association with capital adequacy ratios based on Basel II. However, we use the Basic Indicator Approach (BIA) for entities that are deemed to be less important in the measurement of operational risk equivalent and for entities that are preparing to implement the AMA. The measurement results under the AMA are used not only as the operational risk equivalent in the calculation of capital adequacy ratios but also as Operational VAR for internal risk management purposes for implementing action plans to reduce operational risk, etc.
Outline of the AMA
Outline of Measurement System
We have established the model by taking account of four elements: internal loss data; external loss data; scenario analysis and business environment; and internal control factors (BEICFs). A statistical approach (one year holding period/one-tailed 99.9 percentile confidence interval) is taken for the calculation of operational risk equivalent, employing both internal loss data (i.e., actually experienced operational loss events) and scenario data to reflect unexperienced potential future loss events in the measurement.
In the measurement of operational risk equivalent as of March 31, 2010, we did not exclude expected losses and also did not recognize the risk mitigating impact of insurance. In addition, we did not take into account the events related to credit risk in measuring operational risk equivalent.
Outline of Measurement Model
Operational risk equivalent is calculated as a simple sum of those related to the seven loss event types defined by Basel II, large- scale natural disasters and litigation. In the measurement of operational risk equivalent as of September 30, 2009, we did not reflect the correlation effects among operational risk related to each of the seven loss event types.
- Outline of Measurement Model
Operational Risk by the Loss Event Type
Loss Distribution (Compound Poisson Distribution) Approach (LDA) is adopted for the calculation of operational risk. LDA is based on the assumption that Poisson Distribution applies to the occurrence frequency of operational risk events, and loss severity is expressed through a separate distribution. Operational risk is calculated for each of the seven loss event types employing both internal loss data, based on our actual experience as operational loss events and scenario data. Scenario data, expressed as numerical values of occurrence frequency and loss severity, reflects external loss data and BEICFs, in order to estimate unexperienced potential future loss events (of low frequency and high severity).
"Frequency Distribution" and "Severity Distribution" are estimated employing the above mentioned internal loss data and scenario data, and Monte-Carlo simulations are then applied to these distributions to measure operational risk. The detailed steps of creation of scenario data are explained later in "Scenario Analysis".
Estimation of "Frequency Distribution" and "Loss Severity Distribution"
"Frequency Distribution" is estimated by applying information on occurrence frequency of both internal loss data and scenario data to Poisson Distribution. "Loss Severity Distribution" is generated as the result of combining, through a statistical approach (Extreme Value Theory), of the actual distribution for the low severity distribution portion created by internal loss data and another loss distribution (Log-normal Distribution or Generalized Pareto Distribution) for the high severity distribution portion created by scenario data.
Operational Risk of Large-Scale Natural Disasters
Monte-Carlo simulation is applied to the datasets expressed as a combination of the probability of occurrence of large-scale natural disasters and the probable loss amount in case of such occurrence, as opposed to estimating "Frequency Distribution" and "Loss Severity Distribution".
Operational Risk of Litigation
Each litigation is converted into data according to the profile of the individual litigation to which Monte-Carlo simulation is applied, as opposed to estimating "Frequency Distribution" and "Loss Severity Distribution". In the measurement process, we assume that final decisions will be made on all litigation within one year.
Verification
We confirm the appropriateness of the measurement model by verifying it, in principle, semi-annually.
Scenario Analysis
Outline of Scenario Analysis
In the process of scenario analysis, scenario data is created as numerical values of occurrence frequency and loss severity reflecting external loss data and BEICFs, in order to estimate unexperienced potential future operational risk events (of low frequency and high severity).
As for external loss data, we refer to data publicly reported by domestic and overseas media, and such data are reflected in the estimation of occurrence frequency and loss severity distribution in the process of scenario analysis. In addition, BEICFs are utilized as indices to adjust occurrence frequency and loss severity distribution in the process of scenario analysis. We categorize scenario analysis into four approaches in accordance with the characteristics of each loss event type and risk management structures.
| Approach | Loss event type(s) to be applied |
|---|---|
| A | Internal fraud/External fraud/Customers, products & business practices/Execution, delivery & process management |
| B | Employment practices and workplace safety |
| C | Damage to physical assets |
| D | Business disruption and system failure |
At MHFG, loss event types to which Approach A is applied account for a considerable amount of operational risk. The detailed process of Approach A is explained below as a typical example of scenario analysis.
Setting Units for Scenario Analysis
In order to ensure completeness and sufficiency, we set units that are commonly applied across group entities that adopt AMA (the "Group Entities") by referencing and categorizing risk scenarios recognized through control self-assessment, internal loss data of the Group Entities and external loss data, etc. Then each of the Group Entities selects the unit on which scenario analysis is conducted from the units established on a groupwide basis in accordance with its business activities and operational risk profile.
Estimation of Occurrence Frequency
Basic occurrence frequency (once a year) is calculated for each scenario analysis unit. If a certain scenario analysis unit has relative internal loss data of a pre-determined threshold amount or above, its basic occurrence frequency is calculated based on such data, and if not, the basic occurrence frequency (the occurrence frequency per year of losses at or above a pre- determined threshold) is calculated with reference to the situation of occurrence of internal loss data of less than the threshold amount and/or external loss data. The basic occurrence frequency is then adjusted within a pre-determined range for the purpose of reflecting the most recent BEICF to determine the final occurrence frequency.
Estimation of Loss Severity Distribution
In order to estimate loss severity distribution, we use a pre- determined series of severity ranges. Basic loss severity distribution is calculated for each scenario analysis unit as an occurrence ratio (in percentile figures) of loss at each severity range when losses at or above a pre-determined threshold occurred, with reference to transaction amount data, external loss data, etc. Then the basic severity distribution is adjusted, if necessary, from the viewpoint of statistical data processing to determine the final loss severity distribution.
Creation of Scenario Data
For each scenario analysis unit, scenario data is generated as a series of combinations of occurrence frequency per year at each severity range, based on the final occurrence frequency and the final loss severity distribution.
- Example of Scenario Data
Glossary
Control Self-Assessments
An autonomous method of risk management in which risk inherent in operations is identified and, after evaluating and monitoring risks that remains despite implementing risk control, the necessary measures are implemented to reduce risk.
(As of Jun 21, 2011)
