01(Shime)Workshop on Operational Risk Management Slide

7/29/2019 01(Shime)Workshop on Operational Risk Management Slide

1/61

People paid in millions

dont listen to thosepaid in thousands

Risk consultant


2/61

Workshop on Operational Risk Management

Commercial Bank of Ethiopia

Risk Management Sub-ProcessNovember, 2011


3/61

Workshop on Operational Risk Management

Outline

I. The purpose the workshop

II. The three line of defensea. Roles of the 1st lines of defense

b. Roles of the 2nd of defense

c. Roles of the 3rd lines of defense

III. Understanding Risk management

IV. Operational risk management

a. Elements of operational risk

b. Factors Contributors to operational risks

c. Tools for operational risk identification and assessment

V. Risk management processa. Risk identification

b. Risk assessmentc. Controlling

d. Monitoring and reviews

VI. Risk response

VII. Reporting

VIII. An effective internal control system


4/61

I. The purpose of the workshop

The workshop aimed at creating awareness and thenecessary attitude towards operational riskmanagement

This workshop approaches the issue of Operational Risk from definition and itslikely manifestation.

The needs to understand operational risk management and the lines of defensethe Bank uses;

In order to create an enabling organisational culture and placing high priority oneffective risk management specifically operational risk management and itsimplementation

The basics of operational risk management cycle

Roles and responsibility of each processes in managing operational risk.

Introducing tools for identifying and assessing operational risk management Gives a typical outline of the organisational set-up in the bank in managing

operational risks, together with the roles responsibilities of the Board, SeniorManagement and other organs of the bank.

To familiarize the policies and procedures of RCMP and specifically operational riskmanagement which outline all aspects of the bank's Operational Risk ManagementFramework which enables the Bank to conduct its business activities in aconsistent and controlled manner.


5/61

II. The Risk management (Highlights )

What is risk?

The possibility of an event occurring that will have animpact on the achievement of the objective.

Risk management covers all the processes involved inidentifying, assessing and judging the full range of risks,assigning ownership, taking actions to mitigate oranticipate them, and monitoring and reviewing progress

A methodical, systematic and enterprise-wide processthat is central to an organizations strategic directionsand management , whereby business uncertainties arerationally addressed.


6/61

The Risk management (Highlights)

continued

Three Types risks

. The risks we take

. The risks we face

. The risks we make


7/61

The Risk management (Highlights )

continued

Levels of risk management

Overall corporate risk management (enterpriserisk management )

Systematic risk management process (riskmanagement cycle)

Specific risk management programs (e.g financial,project etc.)

Particular risk-based operational actions,decisions, and decision making mechanisms(embedded one)


8/61

The Risk management (Highlights)

continued Elements of an Enterprise Risk Management System

Risk management strategy

Risk strategy (appetite)

Sensible and business-focused approach

Overall framework and management system Specific risk management programs

Risk management cycle

Supporting infrastructure

Clearly defined responsibilities and organizational structure Commitment at all levels

Clearly defined terms


9/61

Elements of an Enterprise Risk Management System

continued

Underpinning principles and values (principles-based?) eg accountability, transparency

Reliable information and effective communication

Risk register and reports

Integration within the business

Continuous monitoring (of risks and RM) andimprovement

Implementation and development plans

Guidance and procedures Independent review, assurance and challenge

Oversight


10/61


continued

The Risk Management Process (Cycle) Recognizing risk as an issue

Understanding the organization/operation and its context

Confirming objectives

Identifying specific risks Assessing likelihood and impact (both inherent and residual)

Deciding how to deal with the risks

Implementing risk acceptance or mitigation measures

(the 4 Ts)

Monitoring success Recording

Reporting

Reviewing, learning and improving


11/61


continued

Phases of Risk Management Recognition of need

(How do you sell it? Is it still a problem?)

Development and design

(Use an accepted model?)

Introduction

(Pilot?)

Operation

(It wont always work)

Administration and management

(Dont let it become a number-crunching exercise, an annual chore andcostly bureaucratic nightmare)

Maintenance

(WHY doesnt it always work?)

Adaptation, further development and improvement

(Things change, it wont be perfect and needs to be refined and extended


12/61


continued

Risk management benefits:

Earlier exploitation of business opportunities

Increased market capitalization

Increased likelihood of achieving businessobjectives

More effective use of management time

Lower cost of capital.

Fewer unforeseen threats- no surprisesMore effective management of change

Clearer strategy setting


13/61

The question to be asked?

What do we do at present? What risks do weaccept, and why? Is this right and consistent withour risk appetite? Do we have the appetite?

How good are the defenses against unwantedrisk? Can we prove it?

What are the reasons for the residual risks? Howtolerable are such risks?

What is our overall exposure? Do rewards out-balance risks? Are we sure?

What do we do next?


14/61

III. The three line of defense

The general operational risk management roles and responsibilities aredefined along the three line of defense as follows:

1stLine of Defense:All Processes of the Bank are responsiblefor managing operational risks within their respectivedomain.

2ndLine of Defense: The RCMP is responsible for overseeingand ensuring that operational risks are managed in linewith the requirement set in ORM framework.

3rdLine of Defense: The Internal Audit Process shall beresponsible for providing independent assurance to theBoDs as to the proper management of operational risks.


15/61

IV. What is operational risk?

Definition : There is no uniform definition of

Operational risk, but according to Basel II

framework and banks operational risk

management framework it can be defined as,the risk of loss resulting from inadequate or

failed internal processes, people and

systems, or from external events.


16/61

The Objectives of Operational Risk Management

The specific objectives in managing operational risk will differbetween organizations but will most commonly include one ormore of the following:

reducing avoidable losses

reducing insurance costs

protecting and enhancing reputation protecting and improving credit rating(NBE rating)

improving risk and control culture

improving awareness, objectivity, transparency and accountability of risk

improving the efficiency and effectiveness of controls and processes

providing greater levels of assurance to management assisting management in meeting external requirements

identifying opportunities relating to risk.


17/61

V. Understanding operational risk :the need to understand ..

Exists as long as the bank exists;

Not organized often scattered and uncoordinated in mostinstitutions, leading important risks unmanaged orunmonitored;

Lack of (agreed ) operational risk managementframework; (but now developed )

No central overview, lack of 1st echelon managementinformation about operational risk exposures andchanges in its levels, leading to surprise;

Lack of cost-benefit trade-offs, leading to too many orwrong controls for certain risks or too the contrary;

No news (good news)


18/61

V. Understanding operational risk :

the need to understand .continued

Therefore communication flows establish consistentoperational risk management culture;

Information flows with in the organization pay key rolein establishing and maintaining effective operationalrisk management framework;

Reporting flows enabling monitoring of effectivenessof operational risk management process;

Essential foundation for any rigorous operational riskmanagement process, incident data collection perevent type and business line

Comprehensive, reasonable, verifiable, validated


19/61


Operational risk is not new

Unlike other types of risk, operational risk does not merelymaterialize in the form of visible and direct losses ( or profit

declines.) when operational risk materializes, therefore, it is

not always easy to identify the resulting losses, including

indirect losses in an accurate and comprehensive manner. Embedded in internal processes, people and systems .

Example: unclear lines of reporting or lack of control culture,

cannot measure it like credit or market risk.

Hidden cost, processing failures are often high frequency andlow impact but hidden in processing costs, can be the

difference between poor/average or great performance.


20/61


Operational risk is not new..continued

Multiplier effect- some operational risks only materialize due tomultiple control breaks. Low frequency high-impact impact leadingto underestimation in risk assessment and an exponential multipliereffect of potential/ actual loss.

Impact of various forms of operational risk on the bank may vary indegree i.e., some risks may have more potential of causing damageswhile some may have less potential, some may occur morefrequently while some may occur less frequently.

People-driven , inertial/leniency, temptation/greed, over-confidence, denial, lip service.

Example: ignoring warnings, or audit/RCMP reports


21/61

VI. Elements of operational risks

Internal fraud

External fraud

Employment practices and workplace safety

Clients, products and business practices.

Damage to physical assets.

Business disruption and system failures

Execution, delivery and processmanagement


22/61

VI. Elements of operational risks

continued

Highly Automated Technology

Emergence of E- Commerce

Emergence of banks acting as very large

volume service providersOutsourcing

Large-scale acquisitions, mergers, de-mergers

and consolidationsEngagement in risk mitigation techniques

giving rise to legal risk


23/61

1.Internal Fraud

Unauthorized Activity. Transactions not reported. Transaction type unauthorized. Mismarking of position.

Theft and Fraud. Fraud/credit fraud/worthless deposits. Theft/extortion/embezzlement/robbery. Misappropriation of assets. Forgery. Account take-over/impersonation. Bribes/kickbacks. Insider trading. Money laundering. Willful blindness.


24/61

2.External Fraud

Systems Security.

Hacking damage.

Theft of information (with monetary loss).

Theft and Fraud. Theft/robbery.

Forgery.

Check kiting. Identity theft.

Elder financial abuse.


25/61

3. Employment Practices and Workplace Safety

Employee Relations.

Compensation, benefit, termination issues.

Organized labor issues.

Safe Environment.

General liability (slips and falls). Employee health and safety rules.

Workers compensation.

Diversity and Discrimination.

All discrimination types.

Harassment. Equal Employment Opportunity (EEO).


26/61

3. Clients, Products and Business Practices

Suitability, Disclosure and Fiduciary. Fiduciary breaches/guideline violations.

Suitability/disclosure issues.

Retail consumer disclosure violations. Breach of privacy.

Aggressive sales.

Inadequate product offerings.

Account churning.

Misuse of confidential information.

Lender liability.


27/61


(CONTINUED)

Improper Business or Market Practices .

Antitrust.

Improper trade/market practice.

Market manipulation.

Insider trading (on firms account).

Unlicensed activity.

Money laundering.


28/61


(CONTINUED)

Selection, Sponsorship and Exposure.

Failure to investigate client per guidelines.

Exceeding client exposure limits.

Advisory Activities.

Disputes over performance or advisory activities


29/61

4. Damage to Physical Assets

Disasters and Other Events.

Natural disaster losses.

Human losses from external sources (terrorism,

vandalism).


30/61

5. Business Disruption and System Failures

Systems.

Hardware.

Software.

Telecommunications.

Utility outage/disruptions


31/61

6. Execution, Delivery and Process Management

Transaction Capture, Execution and Maintenance.

Miscommunication.

Data entry, maintenance or loading errors.

Missed deadline or responsibility.

Model/system misoperation.

Accounting error/entity attribution error.

Other task misperformance.

Record retention.

Documentation maintenance.

Delivery failure. Collateral management failure.

Reference data maintenance


32/61


(CONTINUED)

Monitoring and Reporting.

Failed mandatory reporting obligations.

Inaccurate external loss (loss incurred).

Customer Intake and Documentation.

Unapproved access given to accounts.

Incorrect client records (loss incurred).

Negligent loss or damage of client assets.


33/61


(CONTINUED)

Customer/Client Account Management.

Unapproved access given to accounts.

Incorrect client records (loss incurred).

Negligent loss or damage of client assets.

Trade Counterparties.

Non-client counterparty misperformance.

Vendors and Suppliers. Outsourcing.

Vendor disputes.

b l k


34/61

VII. Factors Contributing to operational risks

People Risk

Process Risk

Transaction Risk

Documentation/contract risk.

Operational Control Risk Model Risk

Systems Risk

Technology Risk-

MIS Risk.Event/external/ Risk

Legal and Regulatory Risk /compliance risk/


35/61

VIII. Roles and Responsibilities

1. The BoDs/LRRC

The LRRC shall:

1. Approve the operational risk management strategy,policies and appetite of the Bank;

2. Approve the ORMF of the Bank;3. Ensure the availability of robust operational risk

governance structure, process and the implementationof sound operational risk management principles;

4. Review significant operational risk exposure of theBank;

5. Approve public disclosures on operational risks


36/61

2. The Process CouncilThe PC shall:1. Oversee the proper implementation of the ORMF;

2. Implementthe Banks operational risk managementstrategy, priorities and policies;

3. Provide sufficient human and technical resources to supporteffective management of operational risk;

4. Maintain an appropriate culture and set a tone conducive toeffective and transparent operational risk management;

5. Eliminate gaps and overlaps in the operational risk

management responsibilities and authorities;6. Ensure that appropriate remedial actions are taken

whenever operational risk management breaches areidentified.


37/61

2. The RCMPThe RCMP shall:1. Spearhead the proper implementation of the ORMF ;

2. Develop/review the operational risk management principles, process andmethodologies and monitoring their proper application;

3. Advise processes in the implementation of ORM framework and ensureconsistency and proper implementation across all processes of the Bank;

4. Conduct enterprise wide risk assessment and aggregate operational riskassessment results of all processes of the Bank;

5. Aggregate the operational risk database of the Bank;

6. Ensure the appropriate reporting of deviations and breaches of threshold tothe PC/LRRC;

7. Consolidate risk reports of the Processes of the Bank and escalate up to theManagement and Board;

8. Review policies and procedures in light of the operational risk profile of theBank;


38/61

2. The RCMP (continued..)

9. Develop the operational risk appetite, limit and threshold;10. Establishing criteria for setting risk analysis scope;

11. Coordinate appropriate and timely delivery of operational riskmanagement information;

12. Organize operational risk awareness and training program;

13. Ensure the PC/LRRC are made aware of material changes to theBanks operational risk profile;

14. Maintain portfolio of risk response activities and risk database;

15. Collect and maintain database of external loss database;

16. Oversee the effectiveness of operational risk communications;

17. Conducting operational risk training and awareness program;18. Propose capital for operational risk exposure.


39/61

3. The Internal Audit ProcessThe Internal Audit Process shall: Monitor the effectiveness of ORMF & risk management

process;

Provide validation/independent assurance around the

KRI development process and incorporate output intoaudit plan;

Test and provide assurance as to the effectiveness ofinternal controls.

Identify corrective actions in relation to operation; Report its audit risk findings to the RCMP or Audit

Committee, as appropriate.


40/61

4. All Processes of the BankAll Processes of the Bank shall:

1. Identify operational risk events/incidents (operational risk inherent in allmaterial products, activities, processes and systems) and maintain, asappropriate, process level operational risk database (including externalloss database) of their respective process;

2. Conduct operational risk and control assessment of their respective process;

3. Monitor operational alignment with applicable limits and tolerances;

4. Monitor control performance and periodically test control design;

5. Document all significant operational events/incidents as well as anymeasures taken to alleviate the issue;

6. Conduct the required level of operational risk awareness;7. Identifying IT-related risks and evaluating the level of IT-related risks;


41/61

4. All Processes of the Bank(continued..)

8. Creating the required level risk awareness in relation to the IT riskmanagement.

9. Ensure strict adherence to the Banks policies, procedures and standards ofthe Bank;

10. Monitor operational risk status against the established risk appetite;

11. Compile and report to the RCMP: Risk assessment findings/results;

Control assessment results/finding;

Performance/Status on KRIs;

Key risk with significant control weaknesses;

Breaches and deviations, if any.

12. Drawing action plans for: Operational risk assessment and control findings; and

Other operational risk assessment findings.

13. Ensure compliance to the approved policies and procedures of the Bank;


42/61


14. Ensure adequacy of the existing control.15. Identify operational risk events/incidents (actual

loss, potential loss and near miss) and forwardingsame to the RCMP;

16. Identify, capture, and communicate pertinentinformation in a form and timeframe that enablesstaff to carry out their responsibilities;

17. Manage operational found within theirrespective domain;

18. Assess operational risks and the effectiveness ofcontrols associated with their respective domain;


43/61


14. Design, operate, and monitor a suitable system of control.15. Verify that internal controls and practices are in place,

appropriate, operating effectively, and consistent with theBank Policies, legal and contractual obligations, andregulatory requirements.

16. Manage and review operational risks associated with theirrespective use of IT as part of day to day business activity.

17. Timely contribute to the monitoring, reporting, andescalation processes such that the PC is made aware of

material changes to the Banks IT-related risk profile;19. Devise risk response options and monitor itsimplementation


44/61

IX. Operational risk identification

Operational risk identification refers to the process of identifying operational risksassociated with each process of the Bank.

Activity Listing : This involves identifying all activities, processes and products of a Processthat are susceptible to operational risk.

Review Risk Lists and Lessons Learned: A great deal can be learned from reviewing riskdatabases from similar tasks, talking to process owners about risk management activities in

their areas, and reading case studies that identify risks to services or processes

Continual Identification: Identification happens as often as changes are able to affect the anyprocesss infrastructure/activities-which is to say, identification happens every day.

Discussions: This is a powerful way to expose assumptions and differing viewpoints. Theultimate goal of the identification discussion is to improve the organization's risk

management capability.

Cause and effect matrix: An effective solution, and one that has benefits later in the process,is to subdivide all of the possible conditions into a table with one row for each of the fourcauses of risk and one column for each of the four types of downstream effect.

Risk Statement Form: Role or function, Related service , Context , Related risks anddependencies among risks


45/61

IX. Operational risk identification(continued)

Risk Incident Reporting- Any risk events (loss, near misses, and potential)shall be reported, as happened, to the respective Process owner and theRCMP at the same time.

The identified events shall be analyzed and registered in the respectiverisk event register of the Bank.

Incident and loss data collection: Within the RCMP an incident and lossdata collection process is in place to collect, assess and monitor theoperational losses or potential losses and to define the allocation ofresources and to assess the losses due to operational risks. Internal lossevents may be viewed as actual loss, potential loss and nearmiss eventsexperienced by an organisation.

Actual loss an incident that has resulted in a negative financial impact for the business; Potential loss an incident that has been discovered, that may or may not ultimately result in a financial

loss; and

Near miss an incident discovered through means other than standard operating practices and throughgood fortune or focused management action which has resulted in nil or a positive financial impact (itshould be noted that a near miss could potentially result in a financial gain).


46/61

Incident assessment sheet

Incidentnarration

Possible

Cause

Possible

impact

Existing

control

Adequacy

Of control

Level of

risk

Required further

preventive action


47/61

Failure history log sheetS. No Event

(Incident

) ID

Particula

rs/

details ofthe

event

Details

of the

adverseevent

Asset

affected

(failed)

Cause Details of

damage,

loss and/ordisruption

Actions

taken to

reversethe

situation

Duration

of

disruption(if any)

Remark

Ri k I A l i F


48/61

Risk Impact Analysis Format

Risk

No.

Risk Summary Risk Impact Risk Impact Rating


49/61

X. Operational risk assessment

Operational risk assessment shall refer to the process of assessingthe likely frequency and severity of the identified risks.

Likelihood and Impact Analysis

To assess the likelihood and impact of the identified risks,

o the identified risks shall be prioritized and considered against the

existing controls;

o The residual risk shall be identified after existing controls(preventive and detective) have been applied to the inherent risks;

o

The impact/likelihood analysis shall be applied on the residual risk;o Based on the result of the assessment, risk have to prioritized

significant risks have to be identified, accordingly


50/61

Risk Assessment Matrixes

RiskNo.

Threat Vulnerability Risk RiskSummary

RiskLikelihood

Rating

RiskImpac

t

Rating

Overall RiskRating

Analysis ofRelevant

Controls and

Other Factors

Recomme-ndations


51/61

X. Operational risk assessment

..Continued

Likelihood Analysis

Impact/Magnitude Analysis

Risk Level Determination

Actions

Assigning Risk owner

XI


52/61

XI. Monitoring of Operational Risk

Monitoring is continual checking, supervising, critically observing ordetermining the status in order to identify change from the performance levelrequired or expected, it can be applied to a risk management framework, riskmanagement process ,the risk itself or the control.

To effectively monitor operational risks processes shall:

o The appropriate organ or individuals accepts accountability for operatingwithin its individual and portfolio tolerance levels;

o Periodically test control design and operating effectiveness;

o Ensure that there is a detailed examination of areas of residual risk outside oftolerance thresholds (e.g., request risk analysis).

XII


53/61

XII. An effective internal control system

The process designed, implemented and maintained by:

those charged with governance,

management and

other personnel, to provide reasonable assurance about the

achievement of an entity's objectives with regard to:(a) reliability of financial reporting,

(b) effectiveness and efficiency of operation,

(c) safeguarding of assets, and

(d) compliance with applicable laws and regulations.

l / f l k


54/61

XII. Controls/Mitigation of Operational Risk

...continued

The internal control process a sound internal control process is critical to a banks ability to meet its

established goals, and to maintain its financial viability

internal control is the responsibility of everyone in a bank

Almost all employees produce information used in the internal controlsystem or take other actions needed to effect control

the recognition by all employees of the need to carry out their

responsibilities effectively and to communicate to the appropriate level of

management any problems in operations

instances of non-compliance with the code of conduct, or other policyviolations or illegal actions that are noticed. It is essential that all

personnel within the bank understand the importance of internal control

and are actively engaged in the process


55/61


...continuedRequirements of effective internal control should be: an appropriate control structure set up, with control activities defined at every business

level;

top level reviews; appropriate activity controls for different processes or divisions;physical controls; checking for compliance with exposure limits and follow-up onnoncompliance;

a system of approvals and authorisations; and, a system of verification andreconciliation;

Areas of potential conflicts of interest should be identified, minimised, and subject tocareful, independent monitoring.

Information should be reliable, timely, accessible, and provided in a consistent format.

effective channels of communication to ensure that all staff fully understand andadhere to policies and procedures affecting their duties and responsibilities and thatother relevant information is reaching the appropriate personnel.

XII C l /Mi i i f O i l Ri k


56/61


Audit functions

an effective internal audit function that

independently evaluates the control systems

within the organisation

part of the ongoing monitoring of the bank's

system of internal controls and of its internal

capital assessment procedure,????

XII C l /Mi i i f O i l Ri k


57/61


...continued.

Mitigation of risks For all material operational risks that have been identified, the bank should

decide whether to use appropriate procedures to control and/or mitigate therisks, or bear the risks.

the decision to retain or self-insure the risk should be transparent within the

organisation and should be consistent with the banks overall business strategyand appetite for risk

For those risks that cannot be controlled, the bank should decide whether toaccept/tolerate these risks, reduce the level of business activity involved, orwithdraw/terminate from this activity completely.

Risk mitigation tools or programmes can be used to reduce the exposure to, orfrequency and/or severity of such events

However, we/banks should view risk mitigation tools as complementary to,rather than a replacement for, thorough internal operational risk control.

C l / i i i f O i l i k


58/61


...continued

Management Responses Tolerateo Positively take the risk (opportunity)

o Live with the risk

o Negatively accept the risk (threat) unable to respond

Terminateo Stop

o Dont start

Transfero

Insure, hedge, contract out, share (but be careful with this option) Treato Control likelihood, impact or both

o Through directive, preventive, detective and corrective controls

XIII Operational risk reporting req irements


59/61

XIII. Operational risk reporting requirements

Compile and report to the RCMP:

Risk assessment findings/results;

Control assessment results/finding;Performance/Status on KRIs;

Key risk with significant control

weaknesses;

Breaches and deviations, if any.


60/61

Incident reporting format

COMMERCIAL BANK OF ETHIOPIA

RISK AND COMPLIANCE MANAGEMENT PROCESS

OPERATIONAL RISK INCIDENT REPORTING FORMAT

For the month: __________________

Submission date Incident date Discovery date

Reported by

Process Sub process/branch

Position Name TelephoneReport submitted to:

Name Telephone

Detailed description/update

Incident narrative Cause Impact/Consequence

Data of corrective/preventive action taken

Details of corrective/preventive

action taken/to be takenDate of action Action owners

Financial Impact in Birr

Actual loss Potential loss

Recovered

amount Recovered by

Net Loss

(Act. loss - Rec. amt) Remark

To be completed by ORM team only

Operational risk category

Logged by (ORM officer-maker)Name

Date

Reviewed by (ORM officer-Checker)Name

Date

XIV. Tools for operational risk identification and


61/61

p

assessment

A. Audit Findings

B. Internal Loss Data Collection and Analysis

C. External Data Collection and Analysis

D. Risk Assessments

Risk Self Assessment(RSA)

Risk Control Self Assessments (RCSA)

Scorecards build on RCSAs

Business Process Mapping

Risk and Performance Indicators

Scenario Analysis and Measurements

Comparative Analysis

01(Shime)Workshop on Operational Risk Management Slide

Documents

Transcript of 01(Shime)Workshop on Operational Risk Management Slide