Upload
imtiaz-hanfi
View
1.590
Download
5
Embed Size (px)
DESCRIPTION
Citation preview
OPERATIONAL RISK MANAGEMENT
FRAMEWORK IN SONERI BANK
MBA Research Project
Fall 2013
Group
Imtiaz Ahmed Hanfi ()
Arif Hussain Tirmizi ( )
Supervised by
Syed Farhan Shakeel
ABSTRACT
Banks face many risks, which should be managed. Though their core competences is to
cut down excess occurring costs and ensure to maximize their profits. Operational risk is
increasingly important in the management and corporate governance of a bank, which
increasingly have greater implications and interactions with other risks, such as market or
credit risk. The management and analysis of operational risk is a necessary activity for
bank, presenting many opportunities for development and a major field of study on
conceptual and practical issues due to the particularity and complexity implied in this
type of risk. Making use of secondary data collected through library research, journals
and analysis of reports, the paper reviewed the operational risks of banks and their
management. Soneri Bank has been selected as case study in order to understand
operational risk management in Banks in Pakistan.
The BASEL II adopted SBP inexorably increased the need of an effective management of
operational risks, the development and implementation of structured methodologies for
the analysis and quantification of operational risk within the bank.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 2
ACKNOWLEDGEMENT
Completion of our MBA research project was only possible due to the motivation and
helping hand of many others along with our own efforts. We would take this opportunity to
express our heartfelt gratitude to the people who have been instrumental in the successful
completion of this project.
Foremost, we would like to express our deep gratitude and respect to Mr Syed Farhan
Shakeel whose advices and insights were invaluable to us and without his motivation and
encouragement, this research project would not have materialized. We cannot express our
gratitude for your tremendous help throughout the course of this project.
Secondly, this report would have not been possible without the respondents who took the
time to respond to our questionnaire and enabled us to finish term report in a timely manner.
The guidance and support received from all the members who contributed and who are
contributing to this project, was vital for the success of the project. We are grateful for their
constant support and help.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 3
Table of ContentsABSTRACT.....................................................................................................................................ii
ACKNOWLEDGEMENT...............................................................................................................iii
List of Tables..................................................................................................................................vii
CHAPTER ONE: BACKGROUND OF THE TOPIC AND STATEMENT OF THE PROBLEM 1
Introduction.......................................................................................................................................1
I. The Basel II Framework...........................................................................................1
II. The Risk Management Guidelines of the State Bank of Pakistan........................2
Problem Statement............................................................................................................................2
Scope.................................................................................................................................................3
Delimitation......................................................................................................................................3
Objectives.........................................................................................................................................3
Definition of Operational Risk.........................................................................................................3
Causes of Operational Risk.............................................................................................4
CHAPTER TWO: RESEARCH METHOD & PROCEDURE........................................................6
Research Design & Methods............................................................................................................6
Respondents of the Study.................................................................................................................6
Research Instrument.........................................................................................................................6
Sources of Data.................................................................................................................................6
Treatment of Data.............................................................................................................................6
CHAPTER THREE: LITERATURE REVIEW...............................................................................7
Introduction.......................................................................................................................................7
I. Identification of Operational Risk............................................................................7
1) Definition of Operational Risk............................................................................10
2) Underlying Operational Risk Factors.................................................................13
i) People..................................................................................................................14
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 4
ii) Systems (Technology).....................................................................................16
iii) Processes.........................................................................................................17
iv) External Factors...............................................................................................18
3) Methods of Risk Identification...........................................................................20
Conceptual Framework...................................................................................................................22
CHAPTER FOUR: PRESENTATION ANALYSIS......................................................................23
Operational Risk Management Framework....................................................................................23
I. Risk Identification and Assessment........................................................................24
II. Risk Monitoring..................................................................................................24
III. Risk and Loss Event Reporting...........................................................................25
IV. Other....................................................................................................................25
Policy and Strategy for Operational Risk Management.................................................................25
ORM Overall Strategy...................................................................................................26
V. Strategy for Operational Risk Identification and Assessment............................26
VI. Strategy for Operational Risk Monitoring and Mitigation..................................29
Operational Risk Monitoring.....................................................................................30
Operational Risk Mitigation......................................................................................30
VII. Strategy for Operational Risk Reporting and Measurement...............................31
Risk and Control Self Assessment (RCSA)....................................................................................32
Purpose of RCSA...........................................................................................................32
Likelihood Grid...............................................................................................................................34
Impact Grid.....................................................................................................................................35
Heat Map.........................................................................................................................................36
Analysis of Data from Survey........................................................................................................37
CHAPTER FIVE: SUMMARY OF FINDINGS, CONCLUSION & RECOMMENDATION....42
Findings..........................................................................................................................................42
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 5
I. Interview.................................................................................................................42
II. Survey Results.....................................................................................................43
Conclusion......................................................................................................................................43
APPENDIX.....................................................................................................................................45
Questionnaire..................................................................................................................................45
References.......................................................................................................................................49
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 6
List of Tables
Table 1.1 Source: (Laycock, 1998)......................................................................................9
Table 1.2: Taken form Crouchy (2000).............................................................................10
Table 2.1: Risk Impact Table …………………………………………………….......... 28
Table 2.2: Risk Likelihood Table ……………………………………………………...
28Table 2.3: Activity based Risk & Control Self Assessment at Soneri Bank ………......
33Table 2.4: Likelihood Grid
………………………………………………………….......34Table 2.5: Impact
Grid………………………………………………………………….. 36Table 2.6: Soneri
Bank's Heat Map ……………………………………………………. 36.............................
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 7
CHAPTER ONE: BACKGROUND OF THE TOPIC AND
STATEMENT OF THE PROBLEM
Introduction
Banking business is all about managing risks and returns. The accomplishment of
which continues to present a key test to all banking institution. Success of the bank is
consequently dependent on how well the bank manages its risks. The foremost purpose is
not to eliminate risk, but to be hands-on in assessing and running risks to its strategic
benefit.
Banks have been in the course of an intense period of transformation in the past few
years, changes which have significantly enhanced the potential for operational risk.
Improved regulation, mergers and acquisitions, internal reformation and changes to
systems and technology confront management with a possible minefield of risks as well
as issues.
Previously, operational risk has been dealt by internal control methods within business
lines, supplemented by the Audit function. The industry has now started to use explicit
structures and control processes altered to operational risk mitigation. As operational
risks advanced with the increasing complexity of the Bank’s activities, the acceptance of
a risk management framework is crucial in order to control this risk.
I. The Basel II Framework
The global banking sector and controllers now face new challenges with the requirements
spelled out in the Revised Framework for International Convergence of Capital
Measurement and Capital Standards (often referred to as the “Basel II Accord”) projected
by the Basel Committee on Banking Supervision. The Basel II Accord characterizes the
regulatory capital framework that replaced the existing 1988 Capital Accord through an
additional risk-sensitive framework and introduced for the first time an obligation to hold
capital against operational risk.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 1
Significant transformation in the risk management practices, regulatory environment and
financial markets over the last decade, has resulted in the need to strengthen the stability
of the international banking system. The framework places increased focus on
compliance and supervisory evaluation, and also on capital management, which is
expected to be achieved through a closer alignment of capital to actual risks (risk
sensitive capital requirements).
The Basel II Accord introduced the subsequent three approaches for the computation of
operational risk capital charge:
a) Basic Indicator Approach (BIA)
b) The Standardized Approach (TSA)
c) Advance Measurement Approach (AMA)
II. The Risk Management Guidelines of the State Bank of Pak-
istan
The SBP has adopted the Basel II Accord vide its BSD circular No.8 dated June 27, 2006
detailing the instructions and rules relating to the capital adequacy requirements under the
said Accord.
According to the circular, banks may choose to adopt either BIA or TSA while the AMA
is not being proposed at the moment. However, banks are advised to follow the
international best practices, with reference to data availability and the sophistication of
their risk management framework, and may prepare themselves for an early adoption of
AMA, as and when approved by the SBP.
Problem Statement
To identify the current status and the underlying factors of operational risk management,
in order to provide a comprehensive description of Operational Risk Framework.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 2
Scope
This study would be conducted on one of the emerging bank in Pakistan i.e. Soneri Bank.
The participants for qualitative research are bankers from the operational department of
Soneri Bank in Karachi who shall be interviewed.
Delimitation
Our study primarily focuses on three main factors of operational risk only.
People
Process and System
External Factor
Objectives
The purpose of this study is to suggest a structured approach for operational risk in a
banking environment in order to protect the interest of the stakeholders as follows:
Providing depositors with greater reliability;
Providing quality services to customers and to increase their confidence in doing
business with the Bank;
Providing employees with the best possible working environment to improve their
morale and efficiency, and
Improving the overall financial image and reputation in front of the government
and regulators.
Definition of Operational Risk
Basel II Accord describes operational risk as the possibility of loss resulting from
inadequate or failed internal processes, people and systems or external events. This
definition takes account of legal risk, but eliminates strategic and reputational risk.
Though reputational risk is not formally integrated in the classification of operational risk
under the Accord, however the Bank considers the reputational consequences of failures
in operational risk management as component of the ORM framework across the Bank.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 3
From the Bank’s perspective, operational risk is classified as the risk of loss resulting due
to inadequate or failed internal processes, people and systems or external events. This
classification consists of legal risk as well as the reputational consequences of failures in
operational risk management.
Causes of Operational Risk
Risk is stated in terms of three components: event, cause and effect. This can be
explained by an easy example, a worm virus:
a. Event (Risk) – a virus enters your computer;
b. Cause – the external cause is a hacker, the internal cause is a lack of current virus
protection software; and
c. Effect or consequence – computer software fails; data is lost, with potential finan-
cial and non-financial consequences.
d. Identifying the root cause of an event (risk) helps to isolate operational losses
from other types of losses and to understand what action might be appropriate to
mitigate the risk level. Some examples of operational risk causes include:
lack of policies and procedures
insufficient segregation of duties
not enough training
insufficient activity management
lack of management review and supervision
insufficient analyses
information processing mistakes
not enough physical controls
inadequate business continuity plan and disaster recovery plan
risk factors that are not in the control of the bank
When the root cause of a loss event or probable loss is internal, the center of attention
must be on how to cater the causal factor(s). This usually involves changing a business
process or enhancing controls to decrease the potential odds and impact of a risk event.
For example if “miscommunication” of significant information resulted in some serious
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 4
consequences, consideration should be given to develop the quality of communications
may be via implementing a rigorous Management Information System (MIS).
When the root cause of a loss event or probable loss is external, focus should be on how
well the key risk indicators (that are not in the Bank’s control) are being monitored.
CHAPTER TWO: RESEARCH METHOD & PROCEDURE
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 5
Research Design & Methods
Research Type: Qualitative.
Research strategy is case study.
Data Collection: Primary data and Secondary Data
Respondents of the Study
Soneri Bank personnel who are directly and indirectly involved in managing operational
risks.
Research Instrument
Research instrument which will be used to collect data pertaining to our research will be
done through interviews, questionnaire and documented data of Soneri Bank.
Sources of Data
The data for the guidelines with respect to ORM at Soneri bank have been obtained from
the risk management guidelines of the State Bank of Pakistan (SBP) and the Basel II
Accord issued by the Basel Committee and adopted by the SBP.
Treatment of Data
Data gathered will be inferred according to our own understanding of an optimal research
framework and results obtained through survey will be analyzed through excel graph.
CHAPTER THREE: LITERATURE REVIEW
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 6
Introduction
Globalization and new technology have provided the banking industry with profit-making
opportunities but have also made it more vulnerable to operational risk. It seems that the
industry’s risk-control capabilities have not kept pace with these developments as proved
by, for example, the Barings bank trading saga in 1995. This occurrence, together with
many others, motivated banks to take a more proactive approach to operational risk
management.
The first challenge is to identify the underlying risk factors on which a definition for
operational risk could be based. This definition could, in turn, be used for the
classification of operational risk in the identification process. The second challenge is to
evaluate the risk factor to determine their potential impact on banking institutions. The
appropriate techniques available to measure these factors, and therefore control them,
will also be discussed. Thirdly, risk control will be addressed in terms of the activities
needed to eliminate or reduce the potential adverse effects of the underlying risk factors
as well as the organizational structure that should be in place to support risk management
activities. Lastly, the cost of managing operational risk will be discussed.
I. Identification of Operational Risk
According to Williams (2000) determining operational risk depends on a particular firm
and also states that “The key thing is that firms really need an internal definition of
operational risk. People talk about key factors or key risk factors with the idea being to
pick a finite list of things that you believe you have exposure to, and then prioritize those
and focus on the ones that seem to be the most important.”
Williams (2000) emphasizes that risk identification, as the first step of a risk management
process, provides an important foundation for the firm to rely on in the future.
Furthermore, if there is not a clear understanding of what operational risk means to the
individual business units and corporation as a whole, the ability to build any technology
systems for the measurements and management of the risks will not be possible.
It might sound straightforward; it often causes confusion as manager’s focus on the
effect, rather than the cause of the risk. In this regards, (Rachlin, 1998) states that banks
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 7
often try to reduce the symptoms rather than try to rectify the underlying problems.
Hence, the necessity to take a brief looks at cause and effects of operational risk.
RISK FACTOR CAUSE EFFECT
People (Human Resource) Loss of key staff due to
defection of key staff to
competitor.
Variance in revenues
Process Declining productivity as
value grows
Variance in process costs
from predicted levels
Technology Year 2000 upgrade
expenditure
Variance in technology
running costs from
predicted
Source: Adapted from (Crouchy, 2000)
(Laycock, 1998) Lists six categories of causes that could give rise to operational risk
(Table1.1)
PEOPLE/EMPLOYEES
- Errors
- Misdeeds
- Employment law
- Employer’s liability
- Absence/Loss of key staff
- Organizational structure
- Corporate Governance
- Wrongful trading
CUSTOMER RELATIONSHIP
- Client suitability
- Client capacity
- Client power/authority to transact
- Money laundering
TECHNOLOGY
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 8
- System failure
- System integrity
- System age
- System suitability
- System support
- System conformance to corporate standards
- Model risk
- Data quality
ASSETS
- Business interruption
- Asset loss/destruction
- Third party left
- Fraud
REGULATOR/SUPPLIERS
- Legal risk
- Compliance with standards
- Changes in regulatory standards
- Supplier “Failure”
OTHER
- Project risk
- Reputation risk
Table 1.1 Source: (Laycock, 1998)
This list is, however, not exhaustive and presents only one way of categorizing the causes
and events relating to operational risk. Among the categories list are some that are
extremely difficult or impossible to quantify, such as, the organizational issues.
Crouchy (2000) states that operational risk can be broken down into three main risk
factors namely the failure of people, processes and technology deployed within the
business (Table 1.2). They also classify these main risks factors according to internal and
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 9
external dependencies. Internal dependencies should be analyzed according to a set of
common features consisting of three key components, namely, capacity, capability and
availability.
Table 1.2: Taken form Crouchy (2000)
1) Definition of Operational Risk
From the above discussion it is evident that an accepted definition from operational risk
should include both the internal and external underlying factors. A suggested working
definition for operational risk by the (Authority, 1999) is: “The risk that the continuation
of business may lead to loss as a result of human fallibility, technological shortcomings
and/or various external factors. A bank should mitigate these risks through the use of
systems and controls. However, if the latter is inadequate, they may constitute new risks
and/or exacerbate existing risks”
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 10
The factors, included in the definition, could be easily identified as:
People (human fallibility)
System (technological shortcomings and breakdowns)
Processes (system sand control)
External factors
It could, however, be said that other risks that a bank is exposed to could also include the
above mentioned factors. As such it is important to qualify the interrelation of these
operational risk factors with the other primary risks, such as credit risk, market risk,
liquidity risk and country risk. It is, therefore, imperative to distinguish clearly between
operational risk and other risk to ensure a more positive management approach towards
operational risk.
According to the (Authority, 1999) it is imperative that a definition of operational risk
should be as comprehensive as possible. It is prudent to consider all the risks that an
institution faces and to mitigate those risks. Failure to include a risk explicitly in a
definition may result in failure to consider that risk. Therefore, the inclusion of the
underlying factors of operational risk in its definition is imperative. Reflecting the main
underlying risk factors in the definition of operational risk could also assist the process of
evaluating and quantifying operational risk for control purposes.
During a conference on 21 May 1998, the Operational Risk Forum decided to identify a
narrow and a wide definition of operational risk.
Narrow Definition: Operational risk is seen as risk residing in department called
“operations” and is described as those errors and omissions of controls, system
and processes which may lead to potential losses.
Wide definition: Operational risk is seen as all risks not covered by market or
credit risk. The problem with this approach is that it may leave an unidentified
residue, which could impact the income statement materially and undermine the
wide definition approach.
In order to accommodate the wide and narrow definitions, the Operational Risk Forum
defined operational risk as follows:
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 11
“Operational risk is the exposure to potential financial losses. Such losses may be
caused by internal or external events, trends and changes, which were not captured by the
corporate governance and internal control framework, systems, policies, organization,
ethical standard or other key controls and standards of the firm. Such losses exclude those
already captured by other risk categories such as market, credit, or strategic/business
risk”
Although this definition includes the main underlying operational risk factors (People,
system, process and external factors), it also includes other elements or “sub-risk” factors
such as policies, control framework and ethical standards. This approach could possibly
lend itself to the omission of other factors, for example, procedure, organizational
structures and risk principles. This definition, although comprehensive, should rather be
stated differently by referring to only the main underlying risk factors. This will ensure
that no “sub-risk” factors are omitted and that is still covers the requirements of a narrow
and wide approach.
Taking into account all the previously discussed viewpoints of operational risk, a suitable
definition for operational risk management in a banking environment could be the
following:
Operational risk is the exposure of a bank to possible losses, resulting from inadequacy
and/or failure in the execution of its operations. The source of these losses could be
process, people, system and external events.
This definition firstly comprises the main underlying operational risk factors, namely,
people, processes and systems. Although the factors are seen as an integral part of
operational risk, they could also have an influence on the total organization in term of its
operations. As such, it is important to take cognizance of interrelationships between
operational risk and the other main risk types like credit, market and liquidity risk. The
following example illustrates the interrelationship between operational and credit risk:
The failure of a bank’s credit system could result in a loss of credit business.
Although it is a loss in term of credit business, the loss is a result of the system
failure. As such, the loss should be classified as an operational loss. The actual
risk (operational risk) should be addressed by operational risk control measures,
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 12
for example, to ensure that back-up system are in place to prevent any losses due
the system failures.
Secondly, the definition includes the risk pertaining to the external factors which are
beyond the direst control of a bank. The definition looks specifically at the adverse effect
external factors could have on the ban if the people, processes and systems cannot cope
with them. For example:
If lightning should neutralize the internal system of a bank, preventing the bank
from doing business, it could result in a loss. The adverse effect on the systems
could be seen as an operational risk exposure; hence the necessity to address it
accordingly to an operational risks management process. For instance, having a
backup system to ensure the normal continuation of business could be seen as an
operational risk control mechanism.
Thirdly, the definition excludes the risk exposures to a bank caused by other risks such as
market, credit, liquidity, and country. The intention of the definition is to indicate in a
positive way what operational risk entails rather than to indicate that it consist of all
factors not covered by the aforementioned risks. This positive approach towards
operational risk should allow management to be more specific in addressing all the
relevant operational risk factors.
2) Underlying Operational Risk Factors
Katz (1995) stated that no business should be entered into without a full and early
assessment being made of the underlying risk factors that relate to it. Furthermore, all risk
factors need to be identified such that credit, operating, accounting, reporting and risk
management tools can be put in place. Davies (1998) states that a central requirement of a
risk allocation process is to be able to assess the extent to which the exposure to a risk
factor increases or decreases the expected volatility of earnings. This emphasizes the
necessity to identify risk factors with sufficient precision to be able to monitor and
control them effectively.
In the previous section operational risk was defined based on the primary underlying
operational risk factors that were identified as:
People
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 13
System (Technology)
Processes
External factor
This section deals in detail with each of these underlying factors to determine their effect
on operational risk.
During the detailed analysis of the primary underlying operational risk factors, additional
sub-risk of operational risk will be identified, for example, people as a risk factor could
result from human error, which could cause fraud and subsequently be viewed as fraud
risk. However, it must be emphasized that the dynamic nature of a business could
influence its exposure to risks and additional underlying risk factors could evolve,
changing the overall potential effect of operational risk.
i) People
The success of a business is dependent on the knowledge, skill and capability of the
persons involved in all of the business processes.
Kingsley (1998) stated that people are most important resource of a company and
historically, they have been overlooked while assessing operational risk, as it is hard to
judge the risk of:
Human mistake
Lack of reliability
Lack of separation of duties
Poor customer service
Dependency on key individuals
inadequate skills,
Lack of training
Kingsley (1998) argued that one of the major reasons in many dramatic failures is people
risk as it is very difficult to measure.
From the above, it is evident that people risk could include a variety of sub-risk which
should be addressed during a risk management process.
Integrity:
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 14
o Fraud
o Collusion
o Malice, the unauthorized use of information
o Rogue trading
Competency
Management
Personnel
Health and safety
Authority (1999) identified the following primary sources of people risks:
Incompetent staff
Human mistake
Poor working environment
High staff turnover
Poor communication
Unauthorized decision making
Wilson (2000) states that human resources (people) risk in not just the responsibility of
the human resources department, although they do contribute to controlling of the risk.
The business units themselves have specific responsibilities regarding the control of
operational risk. For example, given the rogue trader problems, which some banks have
suffered, it is also important that the operational risk manager checks that the human
resources department has sufficient controls with regards to personnel security, namely:
Hiring process
o References and working credentials
o Existing and ongoing security training and awareness program
o Job descriptions defining security roles and responsibilities
Termination procedures
o The extent of the termination debriefing
o Ensuring revocation of physical access (cards, keys, system access author-
ity ID etc)
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 15
ii) Systems (Technology)
A bank faces operational risk when the system it chooses is not designed or implemented
according to the requirements of end users both internal and external. For example, if the
systems of the banks are too slow then it would results delays in customer service. A
further problem banks face is the rapid changing technology which exposes the banks
with the risk of systems obsolescence. For example, electronic banking systems require
regular updating. This type of software poses a risk for bank as criminal or malicious
individuals could interrupt and modify it, leading to potential losses. In addition, staff
must be trained for new technology, so that they could understand and run the new
systems. So, whenever the technology changes, it exposes the bank to operational risk.
Operational risk could also be identified in terms of a risk resulting from system failures,
which reflects the possibility that the systems are inherently flawed and could arise from
various factors. Various authors include systems to define operational risk as shown in
the following extracts.
“…risks are those of malfunctioning of the information systems...”
“…the potential for adverse fluctuation due to the effects attributable to system...”
“...the risk runs by a firm … its internal practices, policies and systems...”
“Operational risk arises from the potential for inadequate systems...”
According to Wilson (2000), technology risk is at the heart of a business, such as,
investment banking and should be addressed during the implementation of any system
changes or developments. A firm could be exposed across all business areas to general
technology risk. He lists the following types of risk protection against the system risk:
Physical protection
Functional protection
Data protection
The sub-risks factor of system could be summarized as follows:
System failures
Security breaches
Non-development of systems and implementation failure
Insufficient systems capacity
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 16
Poor data integrity
This list could be expanded or formulated more accurately according to the systems need
of an organization.
iii) Processes
According to various definitions of operational risk, it is once again evident that
processes form an integral part of operational risk and could thus be seen as a main
underlying risk factor. This is substantiated by the following examples:
“The risk of loss caused by failure in operational processes…”
“Operational risk is the exposure to financial or other damage arising through un-
foreseen events or failure in operational processes…”
“Risks are associated with any other day-to-day business processing…”
“Operational risk involves processing…”
“Operational risk arises from failure to control … processing…”
“Operational risk is the potential for loss caused by events such as the breakdown
of processes…”
The process environment forms a part of the operations environment and the
components of the environment act upon and influences each other (Davies, 1998).
Thus an external event, such as, the introduction of the Euro, could have an impact on
a bank’s process environment as it could influence the internal processes which relate
to the activities involved in dealing with the Euro.
The process environment ultimately controls the quality of data integrity. This,
according to Davies includes both static data and transaction data.
The risk could arise at any part of the process from order capture to the recording of
the transaction to the general ledger. Davies state that operational risk is therefore not
limited to operation functions and may also exist in the following circumstances.
Set Up
o The set up of new instruments and counterparties
o New business process to control the migration of new products into the
process environment
Pre-Settlement Activity
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 17
The settlement and agreement of trade data and details of settlements with
third parties:
o Trade capture
o Confirmation/affirmation
o Balancing to exchanges, and
o Maintenance events, for example, rates re-fixes and expiries
Post-settlement activity
The movement of and control over, cash and physical assets:
o Processing of the movement of assets, such as cash and stock
o Inventory management, for example, custody and corporate actions pro-
cessing and
o Reconciliation of internal records to custodians and agents
In order to address the processing risks, as part of operational risk, it must be determined
exactly where the risks are within each environment. According to Davies, this activity
can be initiated by looking at the process flow of a single trade, determining where the
risk occurs and how it can be measured.
It is also evident that processes form an integral part of operational risk; it must be
determined exactly where the risks are within each environment. According to Davies,
this activity can be initiated by looking at the process flow of a single trade, determining
where the risk occurs and how it can be measured.
It is also evident that processes form an integral part of operational risk and could thus be
seen as one of its main underlying risk factors.
iv) External Factors
External factors beyond the direct control and influence of the organization could have an
adverse effect on the internal underlying operational factors. It is imperative therefore
that these external factors should be considered during an operational risk management
process. The following extracts from various definitions confirm this view:
“Operational risk also includes losses from external events…”
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 18
“Operational strategic risk originates outside the firm since it stems mainly from
external areas such as regulatory and fraud risk…”
“…risk of business disruption, control failures, errors, misdeeds or external
events…”
It is important to understand that reference to external events is not intended to include
defaults or market factors that would be captured under definitions of market and/or
credit risk.
According to Authority (1999)Fraud risk is considered as an external risk factor.
However, it could also evolve internally. Mayland (1993) states that fraud risk is the risk
that results from illegal actions of bank’s employees, customers, additional parties on a
transaction or outside intruders. Systemic risk is also seen as a sub-risk factor. Mayland
states that systemic risk arises when a bank participates in a payments or securities
clearance network. If a network participant, for example, fails to settle and causes other
participants to have liquidity problems, it is possible it could also suffer liquidity
problems.
Systemic risks however, are a legitimate concern of credit administration and credit
policy executives. There is a great deal of regulatory concern for systemic risk and most
of the payments, securities and derivatives networks devote a great deal of effort to
understanding and controlling systemic risk.
Regulations are another external factor that could cause operational risk for a bank.
Mayland (1993) states that the regulations are concerned that some banks are not
devoting enough management attention to the “off-balance-sheet” risks associated with
corporate services. Regulators are therefore responding with specific requirements that
force banks to manage operating risks as one of their priorities.
Because banks have no direct control over that part of operational risk which is generated
by the external factors, it is difficult to manage it proactively. Although it is difficult to
quantify these factors, it is important for a bank to anticipate and address the relevant
issues in order to reduce the factors’ adverse effects.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 19
As with the other main underlying risk factors of operational risk, external factors can be
divided into sub-risks to demarcate the areas that should be addressed during the
management process, namely:
Criminal activities
Catastrophes/natural disasters
Regulations/compliance
Information Security
Economic and Political activities
Once again it must be emphasized that this list could be expanded, depending on the
exposures of an organization.
3) Methods of Risk Identification
The Financial and Management Accounting Committee (FMAC) states that management
and other relevant personnel could identify the key risks in number of ways, for example:
- Workshop and interviews
- Brainstorming
- Questionnaires
- Process mapping,
- Comparisons with other organizations.
- Discussion with peers
The Authority (1999) states that the tools for identifying risks could include checklists,
questionnaires, standard templates and facilitated workshops. The estimation of the
impact and probability of the risk event is, however, usually left to the judgment and
experience of the business unit manager. Sometimes loss data of external or internal
events could provide management with examples of the impact of similar events. In a
diverse organization, questionnaires tend to be less useful as question they contain may
not be very business specific. However, where an institution is involved in a similar
business at a number of sites, for example, the branch network in a retail bank, a more
detailed questionnaire may be suitable because of the homogenous nature of these
business units.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 20
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 21
Components of Operational Risk
Management System
Risk Policy & Strategy
Risk Identification
Risk Assessment
Risk Management & Monitoring
Risk & Loss Event Reporting
Operational Risk Management System
Culture of Organization Awareness of Employees
Governance Business Strategy
Conceptual Framework
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 22
Key
Independent Variable
Moderating Variable
Dependent Variable
OPERATIONAL RISK MANAGEMENT FRAMEWORK
GO
VE
RN
AN
CE
AN
D O
RG
AN
IZA
TIO
N
OP
ER
AT
ION
AL
RIS
K P
OL
ICY
, ST
RA
TE
GY
&
PR
OC
ED
UR
ES
CHAPTER FOUR: PRESENTATION ANALYSIS
Operational Risk Management Framework
The operational risk management framework at Soneri bank comprises of the following
key elements;
a. Governance structure for operational risk management
b. Roles and responsibilities of BOD, Risk Management Committee, Senior Man-
agement, Head of Risk Management, Operational Risk Management Department
and other related personnel or functions.
c. Operational risk management strategies and processes for risk identification, as-
sessment, monitoring, reporting and measurement.
Figure 1: Chart drawn from the information provided during the interview.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 23
Risk Policy & Strategy
Risk Identification
Risk AssessmentRisk Management & Monitoring
Risk & Loss Event Reporting
C
U
L
T
U
R
E
A
N
D
A
W
A
R
E
N
E
The Operational Risk Management Division (ORMD) is responsible for:
a. Risk Identification and Assessment
b. Risk Management and Monitoring
c. Risk & Loss Event Reporting
d. Risk Policy & Strategy
I. Risk Identification and Assessment
The ORMD is responsible for:
Conducing risk and control assessment of each process.
Assisting business and support units in identifying and assessing and monitoring
operational risk.
Establishing Bank-wide risk bands in order to assess the likelihood of occurrence
and financial impact of each inherent risk identified in the process of RCSA exer-
cise.
Conducting RCSA workshops with the process owners or RCSA Coordinators for
identifying key risks, their related controls, key risk indicators, severity and likeli-
hood, thresholds and responsibilities.
Accumulating critical risks and key risk exposures identified by RCSA Coordina-
tors and communicating the same to the HRM and the RMC.
Evaluating new product proposals with respect to operational risks and adequacy
of mitigating controls.
II. Risk Monitoring
Act as an ORM help desk for facilitating the Risk and Control Self Assessment
(RCSA) process and resolving RCSA related queries.
Coordinating with business and support units and developing the operational risk
tolerance levels for each of the key risks identified.
Monitoring Key Risk Indicators throughout the Bank.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 24
C
U
L
T
U
R
E
A
N
D
A
W
A
R
E
N
E
III. Risk and Loss Event Reporting
Reviewing loss event reports submitted by various business and support units of
the Bank and accumulating the same in the loss event database.
Implementation of a reporting mechanism by generating reports from the loss
event database in a timely manner, for monitoring critical risk issues and escalat-
ing the same to the senior management.
Developing operational risk measurement methodologies, which reasonably esti-
mate unexpected losses.
Developing operational risk database and data management capabilities to support
the ORM framework, such as a centralized loss event database (including external
operational loss events), comprising of a set of risk metrics.
IV. Other
Formulating ORM strategy, policies and procedures and other key elements of the
ORM framework, for review and approval by the RMC / BOD.
Creating a risk management culture throughout the Bank, which includes provid-
ing awareness of the significance of ORM and internal controls, generally ac-
cepted risk management practices, the Bank’s internal policies and procedures
and the changes in the risk management systems?
Reviewing outsourcing arrangements proposed by business and support units.
Providing recommendations to the RMC regarding the appropriate resources and
technology to be obtained for implementing the ORM framework.
Liaison with the State Bank of Pakistan for operational risk matters.
Policy and Strategy for Operational Risk Management
Operational Risk policy and strategy has been built around the overall risk strategy of the
Bank and reflects the Bank’s appetite for risk and its understanding of the specific
characteristics of operational risk.
By implementing a Bank-wide ORM framework, the Bank aims to protect the interest of
the stakeholders as follows:
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 25
a. Providing depositors with greater reliability.
b. Providing quality services to customers and to increase their confidence in doing
business with the Bank.
c. Providing employees with the best possible working environment to improve their
morale and efficiency, and
d. Improving the overall financial image and reputation in front of the government
and regulators.
ORM Overall Strategy
In order to achieve the above objective, the strategy adopted by the Bank is to minimize
operational risk losses and articulate risk appetite and thresholds. In this regard, the Bank
has developed the strategy for identification, mitigating, assessment, monitoring,
reporting and measurement of operational risk. The ORMD, along with the support of the
RMC and senior management from business and support unit, ensures that adequate
strategies are implemented to achieve the operational objectives of the Bank.
In order to achieve its ORM strategy, the Bank aims to implement an effective, consistent
and comprehensive ORM framework and approach, for monitoring and communicating
risks, supported by a suite of principles, policies and controls, including a code of con-
duct, authority guidelines, business process standards, policies regarding major risk cate-
gories, systems and processing controls, and an approval process for new products.
V. Strategy for Operational Risk Identification and Assessment
The ORMD uses risks and controls self assessment (RCSA) as a tool to categorize and
compute the operational risk inbuilt in all activities, procedures and structures. RCSA
exercise conducted within each key business and support unit in the Bank mainly through
meetings/workshops with the senior management. The key business and support units are
identified using the following parameters:
a. The Bank’s operational and reporting structure.
b. Qualitative and quantitative materiality, and
c. Discussion with the HRM and the senior management of the Bank.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 26
The output of the exercise results in a RCSA matrix for each business and support unit
mainly comprising the following:
a. Names of the key processes and their respective activities.
b. Inventory of key operational risks and key operational controls.
c. Inherent and residual risk assessment of each risk.
d. Description of key risk indicators.
The head of respective business and support unit is responsible for identification of key
inherent risks mainly arising from the following factors as defined by Basel II:
a. People risk;
b. Process risk;
c. System risk; and
d. External events
For the purpose of this exercise each unit in the Bank nominates a senior management
person from the unit as RCSA coordinators.
The scope and time horizon for ORM is very wide, which makes it important to prioritize
key risks causing the greatest exposure. Best practices increasingly require risk to be
measured in quantitative terms. Hence, each identified key operational risk is assessed for
the severity and likelihood of its occurrence and then mapped to the Loss Event Types,
specified by the Basel II. The effectiveness of the controls associated to these risks is
assessed from both an inherent and residual risk perspective.
The RMC approves the Bank-wide operational risk impact and likelihood table based on
the recommendation of the HRM.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 27
The risk impact table comprises the scores from 1 to 5 defined as:
Table 2.1: Risk Impact Table
Each of the above scores is defined as operational loss range bands in terms of Pakistani
Rupees in millions.
Similarly the risk likelihood table comprises the scores from 1 to 5 defined as:
Table 2.2: Risk Likelihood Table
Each of the above scores is defined in terms of time ranges such as almost monthly or
once in a year.
The risk assessment tables for risk impact and likelihood are reviewed on a periodic basis
and revised by the ORMD after getting the input from the senior management. Any
revisions to the risk assessment tables are referred to the RMC for approval.
During the workshop, ORMD obtains the input from RCSA coordinator and the senior
management team participating in the workshop regarding key risk indicators (KRIs) to
be formulated for key operational risks and acceptable threshold for the same. KRI is a
combined measure of a Key Performance Indicator (KPI) and Key Control Indicator
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 28
(KCI) that are used to link the residual impact of the risk with likelihood of the risk
occurring. In other words, a KRI shows the extent of stress that a core process is facing.
KRIs are linked directly to risks and at the time of developing KRIs the focus will be
given to the controls and the information system available with the Bank for reporting
such KRIs.
In addition to the qualitative requirements of KRIs data, it is important for KRIs to have
an element of measurability and their thresholds are monitored at the specified periods
stated in the KRI.
The KRIs and the thresholds set for KRIs are visited by the senior management and
ORMD on an annual basis or whenever required and changes are made due to
improvement in the controls, change in risk appetite and availability of better IT systems
for KRI reporting.
The RCSA coordinator annually or as and when required undertake RCSA exercise
initiated by the ORMD to ensure that any changes to the unit’s operational / business
objectives, key operational risks and controls, inherent and residual risk assessment and
key risk indicators are being captured. The results of the RCSA exercise is validated by
Audit Division and forwarded to the ORMD for review. Further RCSAs are reviewed by
the Manager ORMD and is approved, signed off by the Head of the respective business
and support units.
VI. Strategy for Operational Risk Monitoring and Mitigation
Business and support units are responsible for monitoring and mitigating operational
risks and correcting related internal controls in a timely manner.
Senior management of the business is responsible for ensuring that they have in place,
policies and procedures to control, monitor and mitigate operational risks. These policies
and procedures are supported by a strong control culture.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 29
Operational Risk Monitoring
For the purpose of effective risk monitoring the ORMD recommends a risk
appetite/tolerance table. It expresses in terms of impact, through an appropriate limit
structure and control processes to enforce these limits.
Operational risk appetite/tolerance level for the Bank is determined and recommended by
the HRM after getting the input of the senior management of the Bank, and gets it
endorsed by the RMC, and then approved by the BOD. Operational risk tolerance level is
documented and communicated via a separate BOD approved policy.
RMD considers the following factors while determining the Bank-wide operational risk
tolerance level:
a. Risk and Control Self Assessment Exercise,
b. Beta (β), set by the Basel Committee for Banking Supervision for eight business
lines under The Standardized Approach of Basel II,
c. Operational loss data of the Bank; and
d. Operational loss data collection exercise conducted by BIS.
Risk appetite table is reviewed and amended, if required on an annual basis. The senior
management of the business and support units then develop the strategies for controllable
risks and the risks which cannot be controlled. Such strategies include implementation of
additional controls or outsourcing of risk through insurance. Further the KRIs is
developed during the RCSA exercise and its trends over a period of time.
Operational Risk Mitigation
As per the Basel Committee ORM Guidelines, a bank must have policies and procedure
to control and mitigate the operational risks which are arising from the following factors:
a. People risk
b. Process risk
c. System risk, and
d. External events.
Operations manual includes policies and procedures for the concerned business and a
support unit comprises of the key operational controls to mitigate the key operational
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 30
risks from the process/function. These policies and procedures are reviewed by the
ORMD on a periodic basis to ensure all key operational controls have been documented.
Further, any proposed mitigation plans for key risks are reviewed by the Manager
ORMD, the HRM, the Head of Audit and the Head of Compliance before escalation to
the senior management and incorporating the same in the operations manual of the
concerned business and support unit. Implementation of the existing and proposed
policies and procedures are monitored by the operations group along with audit and
compliance divisions.
VII. Strategy for Operational Risk Reporting and Measurement
The ORMD works with management of business and support units to prioritize risk
mitigation strategies. For this purpose the RCSA coordinators and the senior management
will report the following to ORMD:
a. Information relating to operational losses,
b. Deviations of actual KRIs from their acceptable thresholds,
c. Change in the residual risk profile due to change in the controls structure.
The reporting of operational loss events and KRIs deviations is done by the management
to ORMD.
All the operational loss data and near misses are reported to ORMD on a monthly ba-
sis. Further KRI monitoring reports and any breaches are reported on quarterly basis
by the respective business and support units’ RCSA Coordinators.
Based on the reporting from the business and support units, the ORMD establishes
an operational loss events database.
Data is captured and reported as and when operational risk events occur and are clas-
sified in accordance with the Basel II risk categorization framework.
The operational loss event database is used by ORMD in producing operational loss
and KRIs reports.
The operational loss events with critical or high impact and likelihood levels as per the
Bank-wide risk impact and likelihood table will be escalated immediately by the ORMD
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 31
to the senior management of the respective business or support unit and the RMC for the
required action. The senior management of the concerned department is responsible for
taking the required remedial action/meeting.
These reports are consolidated and distributed by the ORMD to appropriate levels of
management dealing with the areas which may suffer potential operational impact. In
particular, the RMC needs to be made aware of all significant risk loss incidents or limit
excesses, as well as any follow up actions that has been taken.
Risk and Control Self Assessment (RCSA)
The RCSA is a structured process designed to enable the identification, self assessment,
evaluation, and monitoring of key operational risks and controls. The process shall also
result in:
a. Business/Support units assuming ownership of their respective key operational
risks and mitigating them through key operational controls on a regular basis.
b. Monitoring of key operational risks through KRIs and related KRI thresholds
c. Implementing controls and mitigating the risks to the acceptable levels, ensuring
that product/service delivery is handled as per policy guidelines and customer re-
lationships are maintained adequately
Purpose of RCSA
The purpose of RCSA is to:
a. Make most efficient use of resources.
b. Working with business owners to diagnose Business process and embedded risks.
c. Ensure application and compliance with policies, procedure, laws and regulations.
d. Enhance safety standards by assessing controls and their effectiveness.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 32
Activ
ity
Sub
Activ
ity
Risk
ID
Base
l II
Clas
sific
ation
Inhe
rent
Ris
k
Inhe
rent
Ris
k
Cont
rol I
D
Mitigating Controls
Resi
dual
Ris
k As
sess
men
t
Key
Risk
In
dica
tors
(K
RI)
Sum
mar
y of
Re
spon
sibi
litie
s
Loss
Eve
nt T
ype
1Lo
ss E
vent
Typ
e 2
Risk
Des
crip
tion
(Los
s Ev
ent
Type
3)
Impa
ct
Control Description
Impa
ct
Like
lihoo
d
Expe
cted
Los
s
Des
crip
tion
Thre
shol
d
Proc
ess
/ Ri
sk
Ow
ner
Cont
rol O
wne
r
Acco
unt O
peni
ng
Ente
ring
cust
omer
info
rmati
on in
the
syst
em
1
Exec
ution
, Del
iver
y &
pro
cess
man
agem
ent
Tran
sacti
on c
aptu
re,
exe
cutio
n &
mai
nten
ance
Customer account master
file information
may be
incorrectly entered in the system
3
1.1
An independent person review
the input of customer account
master file information into the
system for accuracy by matching
it with account opening forms 1 5 5
Num
ber o
f au
dit o
bjec
tions
0%
Acco
unt O
peni
ng O
ffice
r
BM/B
OM
1.2All accounts opened are
supervised by the branch manager.
Table 2.3: Activity Based Risk and Control Self Assessment (RCSA) at Soneri Bank
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 33
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 34
Likelihood Grid
Likelihood Grid shows the score for the frequency of a risk. The score for scale is 1 to 5.
Score 5 means that an event occurs every month while the score 1 means the event might
occurs within 20 years.
Table 2.4: Likelihood Grid
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 35
Impact Grid
Impact Grid of Soneri Bank indicates the score from 1 to 5, showing Ratings and Losses
that is being occurred according to the table given below:
Table 2.5: Soneri bank’s Impact Grid
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 36
Heat Map
Heat map shows the relationship between Impact and Likelihood. All the risk events of
each department is mapped on the heat map so that it become easier to analyze how many
events are in low risk category and how many are in middle and high risk category.
Table 2.6: Soneri Bank’s Heat Map
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 37
Analysis of Data from Survey
1) In what categories does Soneri Bank categorize the operational risk? (Please
select all that apply)
The categories in which most of the personal in Soneri bank places operational risk
are external events that cause damage to physical assets, unauthorized activities by
external parties followed by other categories which can be viewed in the following
graph.
External events that cause damage the physical assets
Unauthorized activities by external parties
Employment practices and workplace safety
Intentional misconduct (internal fraud)
Client, Product and business practices
Business disruption and system failures
Business process risks
Outsourcing
Other
Don’t know
100%
100%
96%
96%
96%
96%
92%
80%
8%
0%
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 38
2) To what extent SONERI BANK applied technology in its operational risk
management program? (Please select all that apply)
Technology is being used for the automation of risk reporting
Technology is being used for the automation of risk monitoring
Technology is being used for the automation of risk identification
Technology is being considered
None, no consideration has been given
Don’t know
64%
96%
88%
12%
0%
4%
3) What is operational risk reporting used for? (Please select all that apply)
Operational risk reporting is extremely important as it is used in the day to day
management of Soneri Bank operations.
Day to day management
Compliance
Financial reporting
Strategic decision making
External communication
Other
88%
12%
8%
12%
0%
0%
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 39
4) What measures has SONERI BANK taken to reduce potential redundancies
in completing operational risk assessment (e.g. internal audit, risk manage-
ment, compliance)? (Please select all that apply)
Risk assessment and risk functions have been mostly consolidated in order to reduce
potential redundancies which might exist in operational risk assessment
Consolidated risk assessment activities
Consolidated risk assessment functions
Established template with common assessment questions
One governance or oversight function
Other
None
Don’t know
0% 20% 40% 60% 80% 100% 120%
96%
88%
80%
0%
4%
0%
4%
5) Does operational risk management system capture the interrelation between
the various risks identified? (Please select all that apply)
Mostly the interrelation of operational risk with other risk is captured in a quantitative
way by the operational risk management system.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 40
Yes, in a descriptive way
Yes, in a quantitative way (e.g. correlations)
Yes, other
No
Don’t know
36%
72%
0%
4%
0%
6) At what time intervals is the operational risk assessment reviewed? (Please
select all that apply)
The operational risk assessment is reviewed once yearly.
7) What information is collected as part of the operational risk assessment?
(Please select all that apply)
Risk description
Risk owner
Control description
Impact
Frequency
Risk ranking
Action plan if risk appetite/limit is breached
Key risk indicators
Risk appetite/Limit
Other
Don’t know
0% 20% 40% 60% 80% 100% 120%
96%
96%
92%
92%
92%
92%
92%
96%
96%
16%
4%
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 41
8) How is the operational risk function organized? (Please select all that apply)
Most of the risk management of operational risk is conducted centrally.
Embedded in the lines of business
Centralized
Both
Other
4%
88%
8%
0%
9) Please rate the following statements on their level of significance to SONERI
BANK operational risk program. (1= Not significant, 5= very significant, and
6=Don’t know)
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 42
Communication with other departments
Risk Control self assessment
Loss event management
Strategies risk assessment
Key risk assessment
Scenario analysis/stress testing
4%
4%
4%
0%
0%
0%
0%
4%
4%
16%
4%
8%
8%
0%
0%
8%
4%
16%
4%
24%
24%
28%
28%
20%
84%
68%
68%
48%
64%
56%
54321
CHAPTER FIVE: SUMMARY OF FINDINGS,
CONCLUSION & RECOMMENDATION
Findings
I. Interview
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 43
We interviewed Mr. Nadeem Ahmed Khan, Manager Operational Risk, Risk
Management Division Soneri Bank. He gave us valuable information regarding
operational risk management framework at Soneri Bank. He also helped us to develop the
questionnaire. He explained the basic structure for the operational risk management. The
under stated chart is the Soneri Bank fundamental structure to follow the ORM:
Figure 2: Soneri Bank fundamental structure to follow ORM
II. Survey Results
On the bases of our assessment it can be concluded that Soneri Bank is progressively
recognizing the vitality of a well engineered ORMF in order to work through diverse
economic settings and achieving their business goals, which in a broader perspective is
completely factual. As financial breakdown has magnified the regulatory inspections,
likelihood of greater reputation risk and loss of Soneri Bank self assurance. This
consequences draw attention for vigorous approaches, in both quantitative and qualitative
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 44
terms for handling the core risks. Integrating technology, people and processes into risk
mitigating actions will help in balancing compliance actions along with strategic
opportunities.
However, in order for organization to engage in growth process, much effort is needed in
order to put up the ORMF. Whether working on upgrading “tone at the top”, empowering
business decisions or reengineering modeling and technological capabilities.
Conclusion
As most of the organizations consider ORM as chain of independent tasks, which
includes specifying control glitches, accumulating loss data or evaluating capital figures
and action plans formation.
Many firms have endowed huge sums of money over time in implementation of these
silo-based strategies but were unable to accomplish their targets. After which, many have
wrongly concluded that ORM is an unimportant compliance exercise.
Though, Operational Risk Management should not be considered as a disjointed tasks
process. As an alternative, it should be viewed as a planned course for formulating up to
date risk management conclusions, in which control information and significant risk is
included in a widespread structure. This approach is termed as modern ORM. Modern
Operational Risk Management executes actuarial science as its basis: a technique for
calculating unexpected loss (risk) and expected loss (cost) and, which can be exercised to
optimize risk-reward and risk-control in the framework of cost-benefit analysis.
In a modern ORM scenario, senior management evaluates operational risk not as a
postscript, but as a vital module for business administration, strategic planning, and
enterprise risk managing processes. Most of the firms by now have acknowledged the
advantages of modern ORM, and it could guide the way in setting a new standards for
business practices.
Soneri Bank’s ORMF is well engineered and used proficiently to resolve various issues
either by the predefined controls or by their own identified controls. It is not required to
advise them to make the modifications in accordance with the ideal ORMF. But, in
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 45
conformity to their peculiar classification of framework, processes and interface, the
functioning of their ORM structure is adequate and certainly is effectual in controlling
numerous different risks but evidently there are so many arenas where the development
can be further pursued. It was determined that the effect of the risk concentration was a
problem which had been identified by the people rather than that of the system which
indicates that the result may lead towards the inconsistency as impact scale can lie in
between 1 - 5 and can be distinct because different people have different perception.
Among other proposals presented to the ORM one was the incorporation of some
composite algorithms by means of numerous calculations in sequence so that the system
would be able to signify the risk impact’s strength itself.
Recommendation
To conclude this study, we propose the following recommendations to enhance the
establishment of a structured approach to operational risk management in a Soneri Bank:
The framework for a structured approach should be used by Soneri Bank to en-
hance the development of their operational risk processes.
As the concept of operational risk management is not yet fully established in
Soneri Bank, it is important to develop and implement a formal training program
for operational risk management. This will enhance the awareness of operational
risk in the bank and stimulate the interest in its management.
APPENDIX
Questionnaire
Thank you for taking the time to complete this survey. Your feedback is important to us
in suggesting ways to improve Operation Risk Management in Soneri Bank.This survey
should only take about 3 to 4 minutes of your time. Your answers will be completely
anonymous.
1) In what categories does SBL categorize the operational risk? (Please select all that
apply)
a. External events that cause damage the physical assets
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 46
b. Unauthorized activities by external parties
c. Employment practices and workplace safety
d. Intentional misconduct (internal fraud)
e. Client, product and business practices
f. Business disruption and system failures
g. Business process risks
h. Outsourcing
i. Other
j. Don’t know
2) To what extent SBL applied technology in its operational risk management pro-
gram? (Please select all that apply)
a. Technology is being used for the automation of risk reporting
b. Technology is being used for the automation of risk monitoring
c. Technology is being used for the automation of risk identification
d. Technology is being considered
e. None, no consideration has been given
f. Don’t know
3) What is operational risk reporting used for? (Please select all that apply)
a. Day to day management
b. Compliance
c. Financial reporting
d. Strategic decision making
e. External communication
f. Other
g. Don’t know
4) What measures has SBL taken to reduce potential redundancies in completing op-
erational risk assessment (e.g. internal audit, risk management, compliance)?
(Please select all that apply)
a. Consolidated risk assessment activities
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 47
b. Consolidated risk assessment functions
c. Established template with common assessment questions
d. One governance or oversight function
e. Other
f. None
g. Don’t know
5) Does operational risk management system capture the interrelation between the
various risks identified? (Please select all that apply)
a. Yes, in a descriptive way
b. Yes, in a quantitative way (e.g. correlations)
c. Yes, other
d. No
e. Don’t know
6) At what time intervals is the operational risk assessment reviewed? (Please select
all that apply)
a. Ad hoc
b. Monthly
c. Quarterly
d. Yearly
e. With bank’s reporting cycle
f. Other
g. Don’t know
7) What information is collected as part of the operational risk assessment? (Please
select all that apply)
a. Risk description
b. Risk owner
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 48
c. Control description
d. Impact
e. Frequency
f. Risk ranking
g. Action plan if risk appetite/limit is breached
h. Key risk indicators
i. Risk appetite/Limit
j. Other
k. Don’t know
8) How is the operational risk function organized? (Please select all that apply)
a. Embedded in the lines of business
b. Centralized
c. Both
d. Other
9) Please rate the following statements on their level of significance to SBL opera-
tional risk program. (1= Not significant, 5= very significant, and 6=Don’t know)
Scale
1. Communication with other departments 1 2 3 4 5 6
2. Risk Control self-assessment 1 2 3 4 5 6
3. Loss event management 1 2 3 4 5 6
4. Strategies risk assessment 1 2 3 4 5 6
5. Key risk assessment 1 2 3 4 5 6
6. Scenario analysis/stress testing 1 2 3 4 5 6
Thank you so much for your time.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 49
References
Authority, F. S., 1999. A paper by FDA Informal Working Party on Allocating Regula-tory Capital for Operational Risk. s.l.:s.n.
Cooper, P., 1999. Operational Risk - The Next Frontier. USA: British Bankers Associa-tion, s.l.: s.n.
Crouchy, M. &. M. R., 2000. Operational Risk, in The Professional's Handbook of Fi-nancial Risk Management. s.l.:Oxford: Butterworth Heinemann.
Davies, J. F. M. L. S., 1998. Defining and Aggregating Operational Risk Information in Operational Risk and Financial Institution. London: Risk Books.
Davies, J. F. M. L. S., 1998. defining and Aggregating Operational Risk Information in Operational Risk And Financial Institution.. London: Risk Books.
Donahoe, T., 1999. Role Playing. Some operational risk groups are struggling to make their remit clear: Operational Risk Special Report, s.l.: s.n.
Hoffman, D., 1998. New Trends in Operational Risk Measurement and Management in Operational Risk and Financial Institutions. London: Risk Books.
Katz, I., 1995. Financial Risk Manager. London: Euromoney Books.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 50
Kingsley, S., 1998. Operational Risk and Financial Institutions: Getting Started in Oper-ational Risk and Financial Instituions. London: Risk Books.
Laycock, M., 1998. Analysing of Mishhandling Losses and Processing Errors in Applica-tions of Operational Risk and Financial Institutions. London: Risk Books.
Mayland, P., 1993. Operational Credit Risk Assessing and Controlling Credit Risk in Bank Operating Services. USA: Probus Publishing.
Rachlin, C., 1998. Operational Risk in Retail Banking: Promoting and Embedding Risk Awareness across Diverse Banking Groups in Operational Risk and Financial Institu-tions. London: Risk Books.
Remenyi, D. &. H. A., 1996. Business Process re-engineering: Some aspects of how to evaluate and manage the risk exposure.. s.l.:International Journal of Project Manage-ment.
Supervision, B. C. o. B., 1998. Operational Risk Management. s.l.:s.n.
Williams, D., 2000. The Risk Factors of E-Commerce (Industry Trend or Event) , s.l.: Meridien Research Report.
Wilson, D., 2000. Operational Risk in The Professional's Handbook of Financial Risk Management.. s.l.:s.n.
OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 51