Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)

Operational Risk Management

A GATEWAY TO MANAGING THE RISK PROFILE OF YOUR ORGANIZATION

Eneni Oduwole, July 2015

2

Content1. Definitions of Operational Risk & Operational Risk Management

2. Elements of ORM

3. ORM Procedures

4. ORM Tools

5. Benefits of ORM

3

DEFINITIONSBRIEF INTRODUCTION TO THE SUBJECT, ITS

CORE PRINCIPLES AND FRAMEWORK

4

What is Operational Risk? Commonly defined as the ‘risk of loss resulting from failed or inadequate processes, people, systems or from external events’.

It is not a control function

It involves interfacing with all departments and business units within an organization to ensure that primary risks regarding people, process, systems and external issues

5

What is Operational Risk Management (ORM)?

Commonly defined as the ‘continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk’ (see Wikipedia)

Operational risk management had been defined in the past as all risk that is not captured in market and credit risk management programs. Early operational risk programs, therefore, took the view that if it was not market risk, and it was not credit risk, then it was operational risk (GARP)

ORM is the discipline in an organization that manages the loss or risk of loss resulting from improper or non-management of people, process, system and externally triggered issues

6

Core Principles of ORM Accept risk only when benefits are greater than risk of loss or cost of control

Do not accept unnecessary risk; transfer or share where necessary

Anticipate and manage risk by effectively planning and monitoring

Ensure that risk decisions are made at the right level and executed organization-wide

Transparency of Risk is critical

7

The ORM Framework

As depicted by The Risk Mgt Association (RMA)

i. Management driven

ii. Provides consistent policies and procedures to be applied firm-wide

iii. Must have a consistent and comprehensive capture of data elements

iv. Must reflect the scope and complexity of all business activities

v. Be ‘fit-for-purpose’, unique and require a tailored approach that is appropriate for the scale and materiality of the size and risks prevalent in the institution

Governance Structure

8

• Risk appetite and toleranceBoard

• Ownership and accountabilityProcess Owners (All Staff)

• Business requirementMgt Staff / Dept Heads /

Line Managers

• OR Risk standards and benchmarksERM / ORM

• Independent reviewInternal Audit

9

ELEMENTS OF ORMHIGHLIGHTS ON THE COMPONENTS OF ORM

WITH RELEVANT EXAMPLES

10

Components of ORMPeople Risks• Loss of Key Staff• Employment Laws• Occupational Health &

Safety• Adequate Training and

Skills Nurturing• Employee collusion/fraud

Process Risks• Input Errors• Non-adherence to

policies & procedures• Reporting errors• Product/Process

complexity• Project Risk

System Risks• IT Security breaches• System Capacity• Data Availability• System Suitability• IT General Controls• Programming errors• Data Integrity

External Risks• Business Continuity Mgt • Regulatory Compliance• Supplier Risk Mgt• Security Risk• Impact of macro-

economic trends• Vendor Relationship Mgt

11

People Risk Issues Quality of Recruits

Sourcing and Selection strategy

Retention strategy for top-talents

Strategy for training; Acculturation of staff

Monitoring Attrition Rate and Concentrations

Managing Staff Motivation

12

Process Issues Effectiveness of process designs – simple or

complex; flexible or rigid

Manual vs. Automated processes; Cost effectiveness of process controls

Performance gradient monitoring

Adequacy of embedded controls; Execution of controls

Vendor Management

13

System Issues Availability of core applications or systems

Network intrusion; Virus Attack

Denial of service

Data corruption or Sabotage

Unauthorised Access to Information

System Penetration Issues

www.computerweekly.com

14

External Events Adherence to Regulatory Stipulations

Compliance & Legal Risk Management

Business Continuity Management

Shift in Industry trends; Global trends

Macro-economic conditions

Available Infrastructure

15

ORM PROCEDURESPROCESSES, PROCESS FLOW, MEASUREMENT

PARAMETERS

16

Processes of ORM

OPERATIONAL RISK GOVERNANCE & MANAGEMENT

1. Fraud Risk Mgt2. Information Risk Mgt3. Business Continuity Mgt4. Occupational Health &

Safety Mgt5. IT Risk Assurance

1. OR Policies & Procedures

2. Risk Assessments3. Loss Incident Reporting4. Key Risk Indicator

Monitoring

1. Compliance & Legal Risk Mgt

2. Audit Non-conformance Monitoring

3. Third Party Relationship Mgt

17

Conduct RCSAs; Compile KRIs and Loss Incident

reports

RCSA Events; KRI Trends;

Loss Data Risk Concentrations

Suggest required controls; Ensure cost effectiveness

and appropriateness

Report identified risks to key stakeholders; Ensure suggested mitigants are

fully implemented

RiskControl

RiskIdentification

RiskMeasurement

Probability & Severity Assessments;Overall Risk Ratings, Risk Concentration and Prioritization

OpRisk Process Flow

Risk Assessment

Risk Monitoring

18

Measurement Parameters Impact:

Also known as Severity Refers to actual or estimated loss to the organization in terms of financial losses or reputational damage

Probability: Also referred to as Likelihood of occurrence Used to measure the estimated frequency of an event

Both types can be measured in either

Qualitative or Quantitative terms

19

Probability or Likelihood

Likelihood Rating Criteria

Almost certain 5 It is expected to happen; will certainly happen this fiscal year or during the three year period of the Service Plan

Likely 4 We expect it to happen; it would be surprising if this did not happen.

Possible 3 Just as likely to happen as not; we don't expect it to happen, but there is a chance

Unlikely 2 Not anticipated; we won't worry about it happening

Rare 1 It would be surprising if this happened; there would have to be a combination of unlikely events for it to happen

20

Impact

Impact Rating Criteria / Examples

Catastrophic 5 No recovery of outstanding debt in full; Irreparable damage to DIL's credibility or integrity

Major 4Event that requires a major realignment of how service is delivered; Significant event that has a long recovery period; Failure to deliver major stakeholder or investors commitment

Moderate 3 Less vulnerable in the near term but faces major ongoing uncertainties to adverse business, financial and economic conditions

Minor 2Strong capacity to meet financial commitments but more subject to adverse economic conditions; Can be dealt with at a department level but requires Executive notification

Insignificant 1Minimal financial losses; Can be dealt with internally; No escalation of the issue required; No media attention; No or manageable stakeholder or client interest

21

OpRisk Loss Types Actual losses:

Values related to losses already expensed by the organisation

Potential losses:

Values related to incidents that are yet to be determined, usually as it relates to incidents under investigation or for which the customer is liable

Prevented losses:

Values related to incidents that were frustrated because of the effectiveness of the organisation’s control mechanism

22

ORM TOOLSBRIEF INTRODUCTION ON RCSA, KRI AND

LOSS INCIDENT REPORTING

23

Tools of ORM

24

Risk & Control Self Assessment (RCSA):

A simple process that captures prevalent and likely risks in a business function and suggests required controls

It is a participative process that relies on inputs from everyone involved in running the business or managing relevant processes

It is a qualitative exercise that should be carried out at least on a quarterly basis

25

Risk & Control Self Assessment (RCSA): It should provide answers to the following questions:

What can go wrong? How can it go wrong?

What is the likelihood of it going wrong?

What is the potential damage?

What can be done about it?

Who will do it?

Risk Factors

Likelihood

Impact

Controls

Responsibility

RCSA Sample Template

26

27

Loss Incident Reporting • Involves the Process of collating data resulting from operational risk events relating to

people, process, system and external events risks

• Assists with identifying trends

• Ensures cost-effective controls are deployed to mitigate likely risks

• Enables determination of risk concentration

Loss data includes: – Actual losses– Near misses (potential and prevented losses)

Sample of Loss Incident Form

28

29

Key Risk Indicator (KRI) Monitoring• KRIs are quantitative parameters used to identify changes in the risk profile of business

activities and processes

• Close monitoring enables the following:– Clear understanding of how risk profiles change– Determination of volatility of risks across the business environment– A forward looking perspective on current risk profile– Understanding of early warning signals for emerging risks

30

Sample of KRI Dashboard

31

BENEFITS OF ORMREASONS FOR INVESTING IN ORM

32

Values of ORM

Improved quality

Cost savings

Stability of earnings; Reduced Volatility

Enhanced competitive position of the organization

Operational efficiency

Assured long-term survival

Compliance with best global practices

Enhanced Shareholder Value

Risk Reward

ORM is Simply Good Business

33

Good Operational Risk Management

Fewer Surprises

Increased Shareholder Value

34

Thank you…