Embed Size (px)
DESCRIPTION
Garp Webcast 082715
Citation preview
1
On24 Tech Tips
• Make sure your speakers are on
• Hit F5 any time your console freezes
• For a LIVE event you should be hearing music now
• Use the “Ask a Question” feature to report issues
• Webcast starts at the top of the hour
Presented by:
Brenda Boultwood SVP, Industry Solutions
MetricStream
Mike Finlay Chief Executive
RiskBusiness International Limited
August 27, 2015
GARP Webcast
Integrating Operational Risk Management into an Enterprise Risk Framework
2
Mike has over 30 years’ experience in banking and finance, having started out pricing equity derivatives on
the Johannesburg Stock Exchange. The majority of his career has focused on risk, specifically in the middle-
and back-office environment. He has been responsible for establishing new business departments in the
derivatives area, restructuring international payments businesses, developing regulatory banking law and
implementing risk management frameworks in both international banking firms and in large corporate’s. He
developed the initial risk management framework for the Bond Market Exchange of South Africa and led the
integration of all trading and financial risk management activities across a leading mining and industrial
conglomerate, while on the insurance side, Mike worked with insurance companies in developing an
operational risk methodology to support the requirements of Solvency II. Mike led the development of the
KRI Framework underlying the KRIeX.org KRI Library, the development of the KRI Library itself and has
worked on the development of loss data consortium requirements for several national and regional banking
associations and consortia. Mike led a large multi-million Euro project in the area of risk and control self-
assessment, has led scenario-based ICAAP assessments, assisted firms in achieving AMA accreditation
and recently assisted a leading Western European regulator conduct their periodic AMA accreditation review
programme.
Part of the focus on risk has included technology, risk assessment and training. Mike is a frequent lecturer
on operational risk for banking supervisors at the Bank for International Settlements, as well as at industry
conferences and seminars. Mike is a regular guest lecturer on risk management at Judge Business School,
Cambridge University, as well as at the University of South Africa (UNISA). He has worked with the World
Bank/IFC in the Russian Federation and across Eastern Europe, as well as with the Financial Services
Volunteer Corps and the BIS’ Financial Stability Institute in ongoing risk management education and
knowledge transfer in Europe and Africa.
Mike obtained a Bachelor of Commerce degree from the University of the Witwatersrand, Johannesburg and
read for a MBA from Henley Management School/Brunel University through the Graduate Institute of
Management and Technology in South Africa. He is a Fellow of the South African Institute of Bankers, a
Director, Vice Chair and Fellow of the Institute of Operational Risk, a member of the Association of Certified
Fraud Examiners and a Charter Member of Risk Who’s Who. Mike was recognized in January 2009 by
OpRisk & Compliance magazine as one of the “Top 50 Faces of Operational Risk” and was responsible for
Riskbeing awarded one of ten “Ten Years of Operational Risk Achievement Awards” for its work of risk
content and taxonomies.
Mike Finlay, Chief Executive, RiskBusiness International Limited
3
Brenda Boultwood is Senior Vice President of Industry Solutions at MetricStream.
Before joining MetricStream, Brenda was Senior Vice President and Chief Risk Officer
for Constellation Energy where she led risk management activities for Constellation
Energy and its businesses, including defining and assessing enterprise-wide business
risks and facilitating proactive decision-making to effectively manage the risks
associated with each business line.
Prior to joining Constellation Energy, Brenda served in a number of roles at
JPMorganChase, including serving as head of risk management for their Treasury
Services business. Prior to that, Brenda served as head of market risk, counterparty
credit risk and operational risk management at Bank One Corporation. Brenda also
worked with PricewaterhouseCoopers as a senior manager in its Financial Risk
Management Consulting Practice and was employed with Chemical Bank Corporation
as a financial engineering associate. In addition, she spent six years teaching in the
University of Maryland’s Master of Business Administration program.
Brenda was a member of the CFTC Technology Advisory Committee, and serves on
the Boards of Committee of Chief Risk Officers (CCRO). She previously served as
Board Member of Global Association of Risk Professionals (GARP). She earned a
Ph.D. in economics.
Brenda Boultwood, MetricStream
4
Enterprise Risk Management (ERM)
• COSO definition: enterprise risk management is a process, effected by an
entity’s board of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
• Covers all eight recognized risk types:
• Strategic Risk
• Business Risk
• Credit Risk
• Market Risk
• Operational Risk
• Liquidity Risk
• Insurance (Perils, Underwriting) Risk
• Environmental Risk
5
Operational Risk Management (ORM)
• Basel II definition: the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events. The
definition includes legal risk but excludes strategic and reputational risk.
• Business definition: any actual or potential adverse or unexpected impact
upon a business arising from any aspect of its business other than from
pure market risk, credit risk or liquidity risk.
• Issues:
• Boundaries with other risk types, embedded into all other risk types
• No direct correlation to volumes, market volatility, economic cycles or
other easily quantifiable factors
• Direct link to the “human factor”
• The business intuitively accept it as part of “business as usual” and
have difficulty in understanding the “regulatory” rationale behind
elevating it to a distinct risk type
6
Proliferation of forms of Operational Risk
• ORM accepted as including errors, system issues, legal issues,
process failures, natural disasters and fraud, other forms often
considered separate risk “types”.
• Compliance – actually the risk of non-compliance, which is either a
people or process issue
• Reputation – actually measures the impact or consequences of other
risk types, mainly of operational risk manifestation
• Information Security – the risk of loss of data (error, process failure or
theft), missing data (process failure) or corruption of data (error,
process failure or system issue)
• Conduct – the risk that staff misbehave, fail to follow procedures or that
the firm has adopts inappropriate business practices (people or process
failures) – also referred to as People risk
• Culture – the risk that the firm has an inappropriate culture (people,
process failure, management)
• Business continuity – the risk that a natural disaster causes business
disruption (systems issues, external factors)
7
Cross-over between risk types
• Consider the 2012 Fukushima Daiichi disaster in Japan:
• Overt cause: earthquake which triggered a tsunami which caused
structural damage to nuclear plant, power outages which affected
cooling and contamination of water supplies, preventing cooling, all
leading to a nuclear incident
• Overt classification: operational risk
• But:
• During original construction phase, engineers were aware that sea
defence walls were not high enough to counter known probable sea
levels, but were left due to cost implications
• Primary control failure: inadequate sea defence walls
• So:
• Actual risk type: business risk
8
Cross-over between risk types
• Consider the 2010 BP Deepwater Horizon oil spill in Gulf of Mexico:
• Overt cause: pressure in well caused safety collar to rupture, leading to
a spill measured around 1,000 barrels per day, with massive
environmental damage
• Overt classification: operational risk
• But:
• In all other fields, BP employed multiple safety collars
• Multiple engineer reports reflected concern about strength of steel
used, cement mixture used, number of collars and centralizers, all
reduced to save costs and time
• So:
• Actual risk type: business risk
9
An ethical dilemma
10
Three lines of defense
• The three lines of defense model is actually not a risk model, it is a
governance model.
• It focusses on the governance structure of the firm, who is accountable
for what and how accountability is delegated across the firm’s structure
• As a consequence of appropriate delegations and limits on delegations,
risk is managed at the appropriate point within risk appetite tolerances
• A sound three lines of defense model is risk agnostic and supports
ERM:
• Line 1 is the business and its immediate support functions
• Line 2 provides direction, oversight and challenge (#OCD)
• Line 3 is responsible for independent assurance
• A core function of the three lines of defense model is the establishment
and functioning of accountable governance forum, which in turn report
back to the delegant of authority.
11
Unite Multiple Perspectives on Risk Assessment
Visualize the Process and Associate Risks at Each Process
Step
GRC Platform
Business Process
Modeling Capability
Inherent in Federated
GRC Platform
Third Party
Risk
Technology
Risk Legal Risk
Human
Capital Risk
Geo-political
Risk
BCM Risk Process
Related Risk
Visualizations of Various
Risk Perspectives aligned
with the Business
Process
Reputational
Risk
Accounts Payable Process
12
Integrated Enterprise Risk Framework
•Business unit owned
• Incorporates integrated functional input in identification and quantification of risks
Risk and control assessment of end-to-end business processes:
•Risk identification
•Risk severity and importance ratings
•Control effectiveness ratings
Standard libraries of risks and controls ensures consistent methodology and facilitates aggregation by common attributes:
•Facilitates risk aggregation across business units, functions and the enterprise
•Controls evaluated once and leveraged by other linked functions and processes
•Highlights interdependencies between risks and controls spanning numerous processes and functions
Improved risk identification and control monitoring:
13
Implementing an Effective Risk Management Approach
• Centralised, Integrated risk framework
• Same vocabulary, same rating scales, a single risk taxonomy ensuring consistency
• Streamlined process for assessment, analysis, mitigation
• Access to structured risk information & risk intelligence
• Better understanding of risk profiles
• Integrate risk management into decision making and strategic planning
• Centralized view of risks aligned to corporate strategy & objectives
• Real-time information for decision making process
• A robust board level reporting and review process
• Streamlined framework and an integrated GRC system approach
• Build a strong risk culture - alignment among different units, processes
• Enterprise-wide visibility and control
A technology solution serves as the foundation for the company’s enterprise-
wide risk and control activities
14
Common Data Objects
Risk Data Model: Universal and Consistent
Organization
Risk
Control
Area of Compliance
Requirement
Standard
Regulatory Body
Objectives
Financial Account
Function
Question / Procedure
Reference
Process
Product
Asset
Asset Class
Evidence
Exception
Risk Assessments
Risk Assessment
Plan
Risk Assessment
Assessment Factor
Perspective
Issues
Issue
Action
Incidents
Incident
Investigation
Regulatory Alerts
Regulatory Review
Regulatory Alert
Metrics
Metric
Metric Data
Loss Events
External Loss
Internal Loss
Compliance Testing
Self-Assessment /
Test Plan
Self-Assessment
Certification
Test
Scenario Analysis
Scenario Workshop
Scenario
Scenario Response
15
Risk Intelligence for Business Performance
GRC
Processes
Risk Assessments
Internal &
External Data
Risk Metrics,
KRIs / KPIs &
Business
Objectives
Reporting
& Analytics
External Feeds (Regulatory Updates,
Social Monitoring, etc.)
Control Tests
Policy Management Surveys
Self Assessments
Monitoring
Audits
Issue Management
Content Organizationa
l
Data
Loss Data
Severity Frequency
Severity
Plug ‘n Play Analytics
Threats &
Vulnerabilities (Servers/Computers/Mo
bile/Cloud Assets)
Advanced Data Visualizations Report & Dashboarding
Heat Maps Business Objectives KRIs, KPIs
16
Communication of Top Risks, Emerging Risk and Strategic Risks
To build and maintain an effective risk management framework, a company must continuously
evaluate the risk landscape
• Top risks are highlighted to
ensure that executive
management is focusing on
the priority risks to the
company
• Emerging risks are identified
based upon new systemic,
political and market factors, as
well as other current events
• Strategic risks assess
underlying emerging and
systematic risks incorporated
in the strategic plan that could
derail the strategy and
business plan
By understanding the enterprise risk factors, a company can develop strategies to
optimize controls, improve performance and reduce the negative impacts to the
business
17
Adopt an Integrated Approach to ERM
• A centralized risk framework to ensure consistent risk information is maintained across the
organization
• Common Risk, Control, & Process Libraries
• Classify & categorize risks, assign owners
• A single risk taxonomy across the organization
• Identification, sharing and mapping of cross organizational risks
• Linking of Priority Risks to Strategic Plans
• An integrated risk framework to identify, assess and mitigate risk data elements
• Risk register to document all risks and related events
• Assess and Analyze risks based on various factors
• Calculate risk metrics and KRIs
• Set risk appetite and thresholds
• Correlate, analyze and visualize risks
• Integrated issues tracking & mitigation
18
Technology IS the “differentiator”
Enhance Risk Strategy Embed Risk Management
• Build two way communication
• Generate risk intelligence for top management
• Implement a common risk framework
• Program manage an enterprise wide risk and
compliance program
• Define Risk Appetite at multiple levels of the
organization
• Stress Testing to validate risk tolerance
• Coordinating risk reporting cycles
• KRI tracking by business lines
• Automated of planned self-assessments
• Control design and implementation
effectiveness
• Continuous updating of risk and control metrics
• Integrated risk management training and
awareness
• Standardized reporting and monitoring
• Reducing redundancy while increasing
coverage
• Communicate risks across the business
Improve Control and Processes Optimize Risk Management Functions
19
Solution Architecture
Alerts Security Dashboards/
Analytics Offline Briefcase Integration Engine
Infrastructure
Core Foundation
Components
Technology Platform
Risks Controls Processes Assets Organizations Regulations
Documents
Content
• Assessment
• Mitigation
• KRIs
• Heat Maps
Risk Mgmt
• Self Assessments
• Control Testing
• Surveys
• Certifications
Compliance Mgmt
• Annual Planning
• Audit Planning
• Audit Execution
• Audit Reporting
Audit Mgmt
• Issue Tracking
• Assessing Severity
• Monitor Remediation
Issue Mgmt
• Policy Management
• Loss Management
• Vendor Management
• Credit Asset Review
…
Other Products…
Regulatory
Compliance
Managing Sanctions and
Agreements
Anti-Bribery
Program
Supplier
Governance Corporate Ethics IT Governance
Es
tab
lish
E
xte
nd
S
us
tain
Application Studio
Forms Data Process Standards/Templates
Compliance Online
Content Community Alerts and Feeds Le
vera
g
e
AppExchange
20
Enable Informed Decision Making Process
• Advanced Analytics for decision-making
• Better understanding of risk profiles
• Effective monitoring and communication
• Integrate risk assessment into management decision-making
• Leverage risk assessment results to enhance controls or the risk acceptance
• Enabling decision makers to quickly determine the potential impact of risk and develop action
plan
• Powerful dashboards, charts and heat maps provide real-time information, strengthen
transparency into risk and control management
• Monitor risk values vs. threshold values
• Perform trend analysis
• Conduct what-if & scenario analysis
• Aggregate and monitor exposures across counterparties, lines of business, etc.
• Graphical dashboards and board level scorecards
21
Operational Risk Management: Key Strengths
• Flexible and adaptable Risk and Control framework
• Based on industry standards such as ISO, COSO, COBIT Standards etc.
• Quantities and Qualitative Risk Assessments, Scenario modeling
• Advanced Risk Modeling capabilities
• Visualization, mitigation strategies, risk relationships & scoring
• Internal and External Loss event management
• Event recognition, investigations and remediation
• Key Risk Indicators (KRIs) for tracking risk metrics and thresholds
• Automated notification when thresholds are breached
22
Best Practices – Stress Testing Creating a culture of
risk awareness®
Global Association of
Risk Professionals
111 Town Square Place
14th Floor
Jersey City, New Jersey 07310
U.S.A.
+ 1 201.719.7210
2nd Floor
Bengal Wing
9A Devonshire Square
London, EC2M 4YN
U.K.
+ 44 (0) 20 7397 9630
www.garp.org
© 2015 Global Association of Risk Professionals. All rights reserved.
About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and
organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment
management firms, government agencies, academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk
Manager (FRM®) and the Energy Risk Professional (ERP®) exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of
risk management via comprehensive professional education and training for professionals of all levels. www.garp.org
