Operational Risk Management - Understanding Your Risk Landscape

OPERATIONAL RISK MANAGEMENTUNDERSTANDING AND MAPPING YOUR RISK LANDSCAPE

Presentation by: Eneni Oduwole1

FBN CCPD, 2014 (ORGANIZED BY CIBN)

OUTLINE

1. Introduction

2. What is OpRisk Mgt

3. Classification of OpRisk

4. Components of OpRisk

5. OpRisk Identification

6. Methods of OpRisk Identification

7. OpRisk Tools

8. Understanding & Mapping OpRisks

9. Challenges of OpRisk

10. Prioritizing Risks

11. Risk Treatments

2


INTRODUCTION

Operational risk, broadly speaking, is the risk of loss resulting from any operational failure in a organization

Such events include direct and indirect actions that may lead to increased errors, system failures, acts of nature, non-adherence with internal policies land regulatory stipulations

Operational Risk is the responsibility of all staff in an organization – junior, middle and senior staff

Involves interfacing with all business units with all business areas in the organization

3


WHAT IS OPERATIONAL RISK

‘the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’…Basel Definition

‘the risk of loss resulting from inadequate or failed internal processes, systems or human factors, or from external events. It includes the reputation and franchise risk associated with business practices or market conduct in which the Company is involved’…Citigroup Definition

4


CLASSIFICATION OF OPRISK

Operational risk can be classified according to the following:

─ The nature of the loss: internally inflicted or externally inflicted

─ The impact of the loss: direct losses or indirect losses

─ The degree of expectancy: expected or unexpected

─ Risk type, event type, and loss type

─ The magnitude (or severity) of loss and frequency of loss

5


OPRISK COMPONENTS IN OTHER KEY RISKS

Credit Risk─ Documentation issues, rate change issues, appropriate portfolio classification, error rates, manual

processes, non-adherence with approved contract terms and risk rating…

Market Risk─ Instituting and adhering to limits, manual processes, non-adherence with policy guidelines, manual

processes, key man risks…

Strategic Risk─ Non-monitoring of milestone achievements or failures, non-adherence with agreed strategic plan,

failure to review plans for consistency with business environment

Reputational Risk─ Non-monitoring of internal and external factors that could have adverse impact on brand equity /

public perception6


OPRISK IDENTIFICATION

This process entails the recognition, categorization, prioritization and enlisting of prevalent risks in the organization

It usually starts with the review of issues / concerns affecting a business process, product or service; thereafter close monitoring and tracking of key issues that might affect set goals and objectives is embarked upon

The identification of risks also allows for conduct of causal analysis which enables better understanding and categorization of risk drivers

Classification of risk drivers reduces redundancy and ensures easier management of risk factors in later phases of the risk management process; classifying risks also provides for the creation of risk checklists, risk registers, and databases for future projects

7


METHODS FOR OPRISK IDENTIFICATION

Documentation Review

Other Information Gathering Techniques such as Interviews with Process Owners

Conduct of Surveys

Checklist Analysis

Root Cause Analysis

Assumption Analysis

All of these tools can be used in developing a database of key risk factors to be monitored by the

organization…

“Key Risk Indicator DashboardKey Risk Indicator Dashboard”

All of these tools can be used in developing a database of key risk factors to be monitored by the

organization…

“Key Risk Indicator DashboardKey Risk Indicator Dashboard”

8


OpRisk Tool: RISK CONTROL SELF ASSESSMENTS (RCSA)

RCSA is a simple process by which the risk profile of an organization can be ascertained and prevalent risks and controls evaluated

It is a participative process that relies on inputs from everyone involved in running the business or managing relevant processes

It is qualitative and therefore cannot be analyzed for corrective actions

Frequency of exercise should be derived by a risk-based approach

9


Process of collating data resulting from operational risk events relating to people, process, system and external events risks

Assists with identifying trends

Ensures cost-effective controls are deployed to mitigate likely risks

Enables determination of risk concentration and adequate capital charge estimation

Loss data includes: ─ Actual losses─ Near misses (potential and prevented losses)

OpRisk Tool: LOSS DATA COLLATION

10


Management of an end-to-end process from incident management to full restoration of all services and business processes

It involves putting in place strategies for all operational risk elements (people, process, systems and external events) to enable an organisation respond appropriately when a disaster occurs:─ Response─ Resumption ─ Recovery ─ Restoration

It requires that recovery plans are put in place for all departments and business activities of the Bank

It also requires that business functions are ranked in order of priority to the organization in terms of financial or reputational relevance

OpRisk Tool: BUSINESS CONTINUITY MANAGEMENT

11


Quantitative parameters used to identify changes in the risk profile of business activities and processes

Examples include:─ Number of training interventions per staff per year; Exit rate ─ Number of fire / robbery incidents recorded; Link availability per month

Enables the following:─ Clear understanding of how risk profiles change─ Determination of volatility of risks across the business environment─ Providing a forward looking perspective on current risk profile─ Understanding of early warning signals for emerging risks

OpRisk Tool: KEY RISK INDICATORS (KRIS)

12


OpRisk Tool: KRIS (cont’d)

Are measurable metrics that identify trends and track possible exposures; they are quantitative parameters used to identify changes in the risk profile of business activities and processes

KRIs enable the following:

‒ Determination of volatility of risks across the business environment

‒ Determination of risk concentrations

‒ Determination of risk patterns

Objectives for having defined KRIs should include:

‒ Ensuring that a process for predicting the pattern / behaviour of current risk profile is in place

‒ Enabling early warning signs for emerging risks to be picked up as they crystallize

13


OpRisk Tool: OPRISK REPORTING

Periodic detailing of OpRisk trends identified from Key Risk Indicator trending, Loss Data Collation trends and key risks identified from RCSA reviews

Should be circulated to key decision-makers within the organization

Should highlight key risks identified with recommended mitigants for controlling respective risks

Should serve as a decision-making tool for budgeting and resource allocation

14


UNDERSTANDING & MAPPING THE RISK LANDSCAPE

Understand the strategic intent of the organization in the short, medium or long term

Drill this into expected deliverables within the respective timeframes

Determine core business activities that would be focused on to achieve these expected deliverables

Isolate the core drivers of these core business activities

Develop quantitative parameters for tracking these core drivers

Agree on trigger limits with business process owner

15


UNDERSTANDING & MAPPING THE RISK LANDSCAPE (CONT’D)

Monitor the trends of these parameters, where adverse trends are observed:

‒ Conduct a Causal Analysis to determine prevalent risk factors

‒ Determine areas of the business affected by this adverse trend

‒ Identify likely constraint to the organization resulting from this adverse trend

‒ Estimate impact and severity to the organization should the risk crystallize

‒ Report on risk trend identified

16


KEY OPRISK PROBLEMS

Determine the risk tolerance levels or thresholds for each major operational risk

Determine optimal risk treatments in terms of risk-control and risk-transfer relationships in the context of cost-benefit analysis

Determine the impact that decisions taken by Management would have on the organization’s exposure to operational risk

17


PRIORITIZING RISKS

Requires the estimation of risk factors into defined categories for risk treatment

These categories are:

High – Medium – Low Risks (for 3-tiered Risk Bands)

High – Medium/High – Medium – Medium/Low and Low Risks (for 5-tiered Risk Bands)

These bands are defined to direct the organization on appropriate risk treatments required for identified risk factors; defined risk categories are also indicative of likely risk exposure (impact x probability)

High Probability

Medium Probability

Low Probability

Low Impact Medium Impact High Impact

18


PRIORITIZING RISKS IN YOUR ORGANIZATION

Risk prioritization must be based on the following:

‒ The Risk Appetite of the organization

‒ The Business Model of the organization

‒ Regulatory Requirements

‒ Business objectives in the short, medium and long terms

‒ Risk – Reward Analysis

‒ Response style of the organization

‒ Maturity of the Risk-Aware Culture

19


DEALING WITH THE RISK EXPOSURES

Terminate: when cost is higher than benefit; no competencies for managing risk

Tolerate: when cost is within risk appetite levels or insignificant to benefit; no brainer

Treat: when benefit from business venture is seriously threatened; staff and business model / structure can implement and support control

Transfer: when benefit is threatened but staff / business model may not support required control (risk may be shared or transferred completely)

20


CONSIDERATIONS FOR SELECTING APPROPRIATE ACTION PLANS

Policy Changes: Consider regulatory / legal / ethical issues such as modifications of banking & related policies

In-House Actions: Consider appropriate plans that would fit into the organization’s business strategy / model / structure, and culture

Simplicity: Action plans should be rid of complexities / complex methodologies which might sabotage the correction process; new process / control should be easy for auditors to review

Implementation: Incorporation of related activities into routine business processes should be seamless; relevant parties should be carried along; cost effectiveness considered

Review: Tracking of implementation should be easy; effectiveness of control should be tested periodically

21


TRACKING RESULTS OF ACTION PLANS

22


CONCLUSION

A qualitative Risk Assessment is usually the first step required for identifying prevalent risk drivers and attributes

It is important that the Risk Assessment approach adopted is based on the organization’s culture, behaviour and attitude in managing issues

The Risk Maturity of the Organization should also be considered

For very structured organizations, brainstorming approaches would yield better results whilst for less structured organizations the conduct of interviews would be more worthwhile

For optimal results, a hybrid approach with all levels of staff involved is highly recommended; this way both strategic and operational risk exposures organization-wide are unearthed

23


FOOD FOR THOUGHT

“The key to successful ERM practices depends on the behavioural attributes of the organization at all levels.” – RIMS

“One of the greatest contributions of a risk manager – arguably the single greatest – is just carrying a torch around and providing transparency.” Enterprise Risk Management, (Chapter 5 “Becoming the Lamp Bearer” by Anette Mikes)

24

THANK YOUThank you

25

Eneni [email protected];

234-8033045896