Upload
eneni-oduwole
View
536
Download
0
Tags:
Embed Size (px)
Citation preview
OPERATIONAL RISK MANAGEMENTUNDERSTANDING AND MAPPING YOUR RISK LANDSCAPE
Presentation by: Eneni Oduwole1
FBN CCPD, 2014 (ORGANIZED BY CIBN)
OUTLINE
1. Introduction
2. What is OpRisk Mgt
3. Classification of OpRisk
4. Components of OpRisk
5. OpRisk Identification
6. Methods of OpRisk Identification
7. OpRisk Tools
8. Understanding & Mapping OpRisks
9. Challenges of OpRisk
10. Prioritizing Risks
11. Risk Treatments
2
FBN CCPD, 2014 (ORGANIZED BY CIBN)
INTRODUCTION
Operational risk, broadly speaking, is the risk of loss resulting from any operational failure in a organization
Such events include direct and indirect actions that may lead to increased errors, system failures, acts of nature, non-adherence with internal policies land regulatory stipulations
Operational Risk is the responsibility of all staff in an organization – junior, middle and senior staff
Involves interfacing with all business units with all business areas in the organization
3
FBN CCPD, 2014 (ORGANIZED BY CIBN)
WHAT IS OPERATIONAL RISK
‘the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’…Basel Definition
‘the risk of loss resulting from inadequate or failed internal processes, systems or human factors, or from external events. It includes the reputation and franchise risk associated with business practices or market conduct in which the Company is involved’…Citigroup Definition
4
FBN CCPD, 2014 (ORGANIZED BY CIBN)
CLASSIFICATION OF OPRISK
Operational risk can be classified according to the following:
─ The nature of the loss: internally inflicted or externally inflicted
─ The impact of the loss: direct losses or indirect losses
─ The degree of expectancy: expected or unexpected
─ Risk type, event type, and loss type
─ The magnitude (or severity) of loss and frequency of loss
5
FBN CCPD, 2014 (ORGANIZED BY CIBN)
OPRISK COMPONENTS IN OTHER KEY RISKS
Credit Risk─ Documentation issues, rate change issues, appropriate portfolio classification, error rates, manual
processes, non-adherence with approved contract terms and risk rating…
Market Risk─ Instituting and adhering to limits, manual processes, non-adherence with policy guidelines, manual
processes, key man risks…
Strategic Risk─ Non-monitoring of milestone achievements or failures, non-adherence with agreed strategic plan,
failure to review plans for consistency with business environment
Reputational Risk─ Non-monitoring of internal and external factors that could have adverse impact on brand equity /
public perception6
FBN CCPD, 2014 (ORGANIZED BY CIBN)
OPRISK IDENTIFICATION
This process entails the recognition, categorization, prioritization and enlisting of prevalent risks in the organization
It usually starts with the review of issues / concerns affecting a business process, product or service; thereafter close monitoring and tracking of key issues that might affect set goals and objectives is embarked upon
The identification of risks also allows for conduct of causal analysis which enables better understanding and categorization of risk drivers
Classification of risk drivers reduces redundancy and ensures easier management of risk factors in later phases of the risk management process; classifying risks also provides for the creation of risk checklists, risk registers, and databases for future projects
7
FBN CCPD, 2014 (ORGANIZED BY CIBN)
METHODS FOR OPRISK IDENTIFICATION
Documentation Review
Other Information Gathering Techniques such as Interviews with Process Owners
Conduct of Surveys
Checklist Analysis
Root Cause Analysis
Assumption Analysis
All of these tools can be used in developing a database of key risk factors to be monitored by the
organization…
“Key Risk Indicator DashboardKey Risk Indicator Dashboard”
All of these tools can be used in developing a database of key risk factors to be monitored by the
organization…
“Key Risk Indicator DashboardKey Risk Indicator Dashboard”
8
FBN CCPD, 2014 (ORGANIZED BY CIBN)
OpRisk Tool: RISK CONTROL SELF ASSESSMENTS (RCSA)
RCSA is a simple process by which the risk profile of an organization can be ascertained and prevalent risks and controls evaluated
It is a participative process that relies on inputs from everyone involved in running the business or managing relevant processes
It is qualitative and therefore cannot be analyzed for corrective actions
Frequency of exercise should be derived by a risk-based approach
9
FBN CCPD, 2014 (ORGANIZED BY CIBN)
Process of collating data resulting from operational risk events relating to people, process, system and external events risks
Assists with identifying trends
Ensures cost-effective controls are deployed to mitigate likely risks
Enables determination of risk concentration and adequate capital charge estimation
Loss data includes: ─ Actual losses─ Near misses (potential and prevented losses)
OpRisk Tool: LOSS DATA COLLATION
10
FBN CCPD, 2014 (ORGANIZED BY CIBN)
Management of an end-to-end process from incident management to full restoration of all services and business processes
It involves putting in place strategies for all operational risk elements (people, process, systems and external events) to enable an organisation respond appropriately when a disaster occurs:─ Response─ Resumption ─ Recovery ─ Restoration
It requires that recovery plans are put in place for all departments and business activities of the Bank
It also requires that business functions are ranked in order of priority to the organization in terms of financial or reputational relevance
OpRisk Tool: BUSINESS CONTINUITY MANAGEMENT
11
FBN CCPD, 2014 (ORGANIZED BY CIBN)
Quantitative parameters used to identify changes in the risk profile of business activities and processes
Examples include:─ Number of training interventions per staff per year; Exit rate ─ Number of fire / robbery incidents recorded; Link availability per month
Enables the following:─ Clear understanding of how risk profiles change─ Determination of volatility of risks across the business environment─ Providing a forward looking perspective on current risk profile─ Understanding of early warning signals for emerging risks
OpRisk Tool: KEY RISK INDICATORS (KRIS)
12
FBN CCPD, 2014 (ORGANIZED BY CIBN)
OpRisk Tool: KRIS (cont’d)
Are measurable metrics that identify trends and track possible exposures; they are quantitative parameters used to identify changes in the risk profile of business activities and processes
KRIs enable the following:
‒ Determination of volatility of risks across the business environment
‒ Determination of risk concentrations
‒ Determination of risk patterns
Objectives for having defined KRIs should include:
‒ Ensuring that a process for predicting the pattern / behaviour of current risk profile is in place
‒ Enabling early warning signs for emerging risks to be picked up as they crystallize
13
FBN CCPD, 2014 (ORGANIZED BY CIBN)
OpRisk Tool: OPRISK REPORTING
Periodic detailing of OpRisk trends identified from Key Risk Indicator trending, Loss Data Collation trends and key risks identified from RCSA reviews
Should be circulated to key decision-makers within the organization
Should highlight key risks identified with recommended mitigants for controlling respective risks
Should serve as a decision-making tool for budgeting and resource allocation
14
FBN CCPD, 2014 (ORGANIZED BY CIBN)
UNDERSTANDING & MAPPING THE RISK LANDSCAPE
Understand the strategic intent of the organization in the short, medium or long term
Drill this into expected deliverables within the respective timeframes
Determine core business activities that would be focused on to achieve these expected deliverables
Isolate the core drivers of these core business activities
Develop quantitative parameters for tracking these core drivers
Agree on trigger limits with business process owner
15
FBN CCPD, 2014 (ORGANIZED BY CIBN)
UNDERSTANDING & MAPPING THE RISK LANDSCAPE (CONT’D)
Monitor the trends of these parameters, where adverse trends are observed:
‒ Conduct a Causal Analysis to determine prevalent risk factors
‒ Determine areas of the business affected by this adverse trend
‒ Identify likely constraint to the organization resulting from this adverse trend
‒ Estimate impact and severity to the organization should the risk crystallize
‒ Report on risk trend identified
16
FBN CCPD, 2014 (ORGANIZED BY CIBN)
KEY OPRISK PROBLEMS
Determine the risk tolerance levels or thresholds for each major operational risk
Determine optimal risk treatments in terms of risk-control and risk-transfer relationships in the context of cost-benefit analysis
Determine the impact that decisions taken by Management would have on the organization’s exposure to operational risk
17
FBN CCPD, 2014 (ORGANIZED BY CIBN)
PRIORITIZING RISKS
Requires the estimation of risk factors into defined categories for risk treatment
These categories are:
High – Medium – Low Risks (for 3-tiered Risk Bands)
High – Medium/High – Medium – Medium/Low and Low Risks (for 5-tiered Risk Bands)
These bands are defined to direct the organization on appropriate risk treatments required for identified risk factors; defined risk categories are also indicative of likely risk exposure (impact x probability)
High Probability
Medium Probability
Low Probability
Low Impact Medium Impact High Impact
18
FBN CCPD, 2014 (ORGANIZED BY CIBN)
PRIORITIZING RISKS IN YOUR ORGANIZATION
Risk prioritization must be based on the following:
‒ The Risk Appetite of the organization
‒ The Business Model of the organization
‒ Regulatory Requirements
‒ Business objectives in the short, medium and long terms
‒ Risk – Reward Analysis
‒ Response style of the organization
‒ Maturity of the Risk-Aware Culture
19
FBN CCPD, 2014 (ORGANIZED BY CIBN)
DEALING WITH THE RISK EXPOSURES
Terminate: when cost is higher than benefit; no competencies for managing risk
Tolerate: when cost is within risk appetite levels or insignificant to benefit; no brainer
Treat: when benefit from business venture is seriously threatened; staff and business model / structure can implement and support control
Transfer: when benefit is threatened but staff / business model may not support required control (risk may be shared or transferred completely)
20
FBN CCPD, 2014 (ORGANIZED BY CIBN)
CONSIDERATIONS FOR SELECTING APPROPRIATE ACTION PLANS
Policy Changes: Consider regulatory / legal / ethical issues such as modifications of banking & related policies
In-House Actions: Consider appropriate plans that would fit into the organization’s business strategy / model / structure, and culture
Simplicity: Action plans should be rid of complexities / complex methodologies which might sabotage the correction process; new process / control should be easy for auditors to review
Implementation: Incorporation of related activities into routine business processes should be seamless; relevant parties should be carried along; cost effectiveness considered
Review: Tracking of implementation should be easy; effectiveness of control should be tested periodically
21
FBN CCPD, 2014 (ORGANIZED BY CIBN)
TRACKING RESULTS OF ACTION PLANS
22
FBN CCPD, 2014 (ORGANIZED BY CIBN)
CONCLUSION
A qualitative Risk Assessment is usually the first step required for identifying prevalent risk drivers and attributes
It is important that the Risk Assessment approach adopted is based on the organization’s culture, behaviour and attitude in managing issues
The Risk Maturity of the Organization should also be considered
For very structured organizations, brainstorming approaches would yield better results whilst for less structured organizations the conduct of interviews would be more worthwhile
For optimal results, a hybrid approach with all levels of staff involved is highly recommended; this way both strategic and operational risk exposures organization-wide are unearthed
23
FBN CCPD, 2014 (ORGANIZED BY CIBN)
FOOD FOR THOUGHT
“The key to successful ERM practices depends on the behavioural attributes of the organization at all levels.” – RIMS
“One of the greatest contributions of a risk manager – arguably the single greatest – is just carrying a torch around and providing transparency.” Enterprise Risk Management, (Chapter 5 “Becoming the Lamp Bearer” by Anette Mikes)
24