Thomas Lee, chief executive at VivoSecurity, and Martin Liljeblad, operational risk manager at MUFG Americas, examine how a data breach cost model can replace an advanced measurement approach in a structured scenario
Thomas Lee, VivoSecurity
Things change. For just over a decade, most large banks measured their operational risk capital using advanced measurement approach (AMA) models.1 Their reign was seen as troubled, their workings as a black box – leaving risk management standards between banks potentially uneven, conflicted and inadequate. With the demise of the AMA now looming, it is time to herald a new kind of model – one that is transparent, intuitive and partnered with expert judgement.
AMA models are essentially loss distribution models trained on a confused array of events that include external fraud and small personal identifiable information (PII) data breaches.2 It is standard practice to estimate value-at-risk from these models using a 99.9% confidence interval for regulatory capital, or 95% confidence intervals for internal estimates. The problem with this approach is that the impact from tail events is…
