01(Shime)Workshop on Operational Risk Management Slide
Transcript of 01(Shime)Workshop on Operational Risk Management Slide
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
1/61
People paid in millions
dont listen to thosepaid in thousands
Risk consultant
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
2/61
Workshop on Operational Risk Management
Commercial Bank of Ethiopia
Risk Management Sub-ProcessNovember, 2011
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
3/61
Workshop on Operational Risk Management
Outline
I. The purpose the workshop
II. The three line of defensea. Roles of the 1st lines of defense
b. Roles of the 2nd of defense
c. Roles of the 3rd lines of defense
III. Understanding Risk management
IV. Operational risk management
a. Elements of operational risk
b. Factors Contributors to operational risks
c. Tools for operational risk identification and assessment
V. Risk management processa. Risk identification
b. Risk assessmentc. Controlling
d. Monitoring and reviews
VI. Risk response
VII. Reporting
VIII. An effective internal control system
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
4/61
I. The purpose of the workshop
The workshop aimed at creating awareness and thenecessary attitude towards operational riskmanagement
This workshop approaches the issue of Operational Risk from definition and itslikely manifestation.
The needs to understand operational risk management and the lines of defensethe Bank uses;
In order to create an enabling organisational culture and placing high priority oneffective risk management specifically operational risk management and itsimplementation
The basics of operational risk management cycle
Roles and responsibility of each processes in managing operational risk.
Introducing tools for identifying and assessing operational risk management Gives a typical outline of the organisational set-up in the bank in managing
operational risks, together with the roles responsibilities of the Board, SeniorManagement and other organs of the bank.
To familiarize the policies and procedures of RCMP and specifically operational riskmanagement which outline all aspects of the bank's Operational Risk ManagementFramework which enables the Bank to conduct its business activities in aconsistent and controlled manner.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
5/61
II. The Risk management (Highlights )
What is risk?
The possibility of an event occurring that will have animpact on the achievement of the objective.
Risk management covers all the processes involved inidentifying, assessing and judging the full range of risks,assigning ownership, taking actions to mitigate oranticipate them, and monitoring and reviewing progress
A methodical, systematic and enterprise-wide processthat is central to an organizations strategic directionsand management , whereby business uncertainties arerationally addressed.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
6/61
The Risk management (Highlights)
continued
Three Types risks
. The risks we take
. The risks we face
. The risks we make
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
7/61
The Risk management (Highlights )
continued
Levels of risk management
Overall corporate risk management (enterpriserisk management )
Systematic risk management process (riskmanagement cycle)
Specific risk management programs (e.g financial,project etc.)
Particular risk-based operational actions,decisions, and decision making mechanisms(embedded one)
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
8/61
The Risk management (Highlights)
continued Elements of an Enterprise Risk Management System
Risk management strategy
Risk strategy (appetite)
Sensible and business-focused approach
Overall framework and management system Specific risk management programs
Risk management cycle
Supporting infrastructure
Clearly defined responsibilities and organizational structure Commitment at all levels
Clearly defined terms
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
9/61
Elements of an Enterprise Risk Management System
continued
Underpinning principles and values (principles-based?) eg accountability, transparency
Reliable information and effective communication
Risk register and reports
Integration within the business
Continuous monitoring (of risks and RM) andimprovement
Implementation and development plans
Guidance and procedures Independent review, assurance and challenge
Oversight
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
10/61
The Risk management (Highlights )
continued
The Risk Management Process (Cycle) Recognizing risk as an issue
Understanding the organization/operation and its context
Confirming objectives
Identifying specific risks Assessing likelihood and impact (both inherent and residual)
Deciding how to deal with the risks
Implementing risk acceptance or mitigation measures
(the 4 Ts)
Monitoring success Recording
Reporting
Reviewing, learning and improving
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
11/61
The Risk management (Highlights )
continued
Phases of Risk Management Recognition of need
(How do you sell it? Is it still a problem?)
Development and design
(Use an accepted model?)
Introduction
(Pilot?)
Operation
(It wont always work)
Administration and management
(Dont let it become a number-crunching exercise, an annual chore andcostly bureaucratic nightmare)
Maintenance
(WHY doesnt it always work?)
Adaptation, further development and improvement
(Things change, it wont be perfect and needs to be refined and extended
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
12/61
The Risk management (Highlights )
continued
Risk management benefits:
Earlier exploitation of business opportunities
Increased market capitalization
Increased likelihood of achieving businessobjectives
More effective use of management time
Lower cost of capital.
Fewer unforeseen threats- no surprisesMore effective management of change
Clearer strategy setting
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
13/61
The question to be asked?
What do we do at present? What risks do weaccept, and why? Is this right and consistent withour risk appetite? Do we have the appetite?
How good are the defenses against unwantedrisk? Can we prove it?
What are the reasons for the residual risks? Howtolerable are such risks?
What is our overall exposure? Do rewards out-balance risks? Are we sure?
What do we do next?
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
14/61
III. The three line of defense
The general operational risk management roles and responsibilities aredefined along the three line of defense as follows:
1stLine of Defense:All Processes of the Bank are responsiblefor managing operational risks within their respectivedomain.
2ndLine of Defense: The RCMP is responsible for overseeingand ensuring that operational risks are managed in linewith the requirement set in ORM framework.
3rdLine of Defense: The Internal Audit Process shall beresponsible for providing independent assurance to theBoDs as to the proper management of operational risks.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
15/61
IV. What is operational risk?
Definition : There is no uniform definition of
Operational risk, but according to Basel II
framework and banks operational risk
management framework it can be defined as,the risk of loss resulting from inadequate or
failed internal processes, people and
systems, or from external events.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
16/61
The Objectives of Operational Risk Management
The specific objectives in managing operational risk will differbetween organizations but will most commonly include one ormore of the following:
reducing avoidable losses
reducing insurance costs
protecting and enhancing reputation protecting and improving credit rating(NBE rating)
improving risk and control culture
improving awareness, objectivity, transparency and accountability of risk
improving the efficiency and effectiveness of controls and processes
providing greater levels of assurance to management assisting management in meeting external requirements
identifying opportunities relating to risk.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
17/61
V. Understanding operational risk :the need to understand ..
Exists as long as the bank exists;
Not organized often scattered and uncoordinated in mostinstitutions, leading important risks unmanaged orunmonitored;
Lack of (agreed ) operational risk managementframework; (but now developed )
No central overview, lack of 1st echelon managementinformation about operational risk exposures andchanges in its levels, leading to surprise;
Lack of cost-benefit trade-offs, leading to too many orwrong controls for certain risks or too the contrary;
No news (good news)
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
18/61
V. Understanding operational risk :
the need to understand .continued
Therefore communication flows establish consistentoperational risk management culture;
Information flows with in the organization pay key rolein establishing and maintaining effective operationalrisk management framework;
Reporting flows enabling monitoring of effectivenessof operational risk management process;
Essential foundation for any rigorous operational riskmanagement process, incident data collection perevent type and business line
Comprehensive, reasonable, verifiable, validated
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
19/61
V. Understanding operational risk :
Operational risk is not new
Unlike other types of risk, operational risk does not merelymaterialize in the form of visible and direct losses ( or profit
declines.) when operational risk materializes, therefore, it is
not always easy to identify the resulting losses, including
indirect losses in an accurate and comprehensive manner. Embedded in internal processes, people and systems .
Example: unclear lines of reporting or lack of control culture,
cannot measure it like credit or market risk.
Hidden cost, processing failures are often high frequency andlow impact but hidden in processing costs, can be the
difference between poor/average or great performance.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
20/61
V. Understanding operational risk :
Operational risk is not new..continued
Multiplier effect- some operational risks only materialize due tomultiple control breaks. Low frequency high-impact impact leadingto underestimation in risk assessment and an exponential multipliereffect of potential/ actual loss.
Impact of various forms of operational risk on the bank may vary indegree i.e., some risks may have more potential of causing damageswhile some may have less potential, some may occur morefrequently while some may occur less frequently.
People-driven , inertial/leniency, temptation/greed, over-confidence, denial, lip service.
Example: ignoring warnings, or audit/RCMP reports
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
21/61
VI. Elements of operational risks
Internal fraud
External fraud
Employment practices and workplace safety
Clients, products and business practices.
Damage to physical assets.
Business disruption and system failures
Execution, delivery and processmanagement
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
22/61
VI. Elements of operational risks
continued
Highly Automated Technology
Emergence of E- Commerce
Emergence of banks acting as very large
volume service providersOutsourcing
Large-scale acquisitions, mergers, de-mergers
and consolidationsEngagement in risk mitigation techniques
giving rise to legal risk
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
23/61
1.Internal Fraud
Unauthorized Activity. Transactions not reported. Transaction type unauthorized. Mismarking of position.
Theft and Fraud. Fraud/credit fraud/worthless deposits. Theft/extortion/embezzlement/robbery. Misappropriation of assets. Forgery. Account take-over/impersonation. Bribes/kickbacks. Insider trading. Money laundering. Willful blindness.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
24/61
2.External Fraud
Systems Security.
Hacking damage.
Theft of information (with monetary loss).
Theft and Fraud. Theft/robbery.
Forgery.
Check kiting. Identity theft.
Elder financial abuse.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
25/61
3. Employment Practices and Workplace Safety
Employee Relations.
Compensation, benefit, termination issues.
Organized labor issues.
Safe Environment.
General liability (slips and falls). Employee health and safety rules.
Workers compensation.
Diversity and Discrimination.
All discrimination types.
Harassment. Equal Employment Opportunity (EEO).
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
26/61
3. Clients, Products and Business Practices
Suitability, Disclosure and Fiduciary. Fiduciary breaches/guideline violations.
Suitability/disclosure issues.
Retail consumer disclosure violations. Breach of privacy.
Aggressive sales.
Inadequate product offerings.
Account churning.
Misuse of confidential information.
Lender liability.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
27/61
3. Clients, Products and Business Practices
(CONTINUED)
Improper Business or Market Practices .
Antitrust.
Improper trade/market practice.
Market manipulation.
Insider trading (on firms account).
Unlicensed activity.
Money laundering.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
28/61
3. Clients, Products and Business Practices
(CONTINUED)
Selection, Sponsorship and Exposure.
Failure to investigate client per guidelines.
Exceeding client exposure limits.
Advisory Activities.
Disputes over performance or advisory activities
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
29/61
4. Damage to Physical Assets
Disasters and Other Events.
Natural disaster losses.
Human losses from external sources (terrorism,
vandalism).
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
30/61
5. Business Disruption and System Failures
Systems.
Hardware.
Software.
Telecommunications.
Utility outage/disruptions
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
31/61
6. Execution, Delivery and Process Management
Transaction Capture, Execution and Maintenance.
Miscommunication.
Data entry, maintenance or loading errors.
Missed deadline or responsibility.
Model/system misoperation.
Accounting error/entity attribution error.
Other task misperformance.
Record retention.
Documentation maintenance.
Delivery failure. Collateral management failure.
Reference data maintenance
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
32/61
6. Execution, Delivery and Process Management
(CONTINUED)
Monitoring and Reporting.
Failed mandatory reporting obligations.
Inaccurate external loss (loss incurred).
Customer Intake and Documentation.
Unapproved access given to accounts.
Incorrect client records (loss incurred).
Negligent loss or damage of client assets.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
33/61
6. Execution, Delivery and Process Management
(CONTINUED)
Customer/Client Account Management.
Unapproved access given to accounts.
Incorrect client records (loss incurred).
Negligent loss or damage of client assets.
Trade Counterparties.
Non-client counterparty misperformance.
Vendors and Suppliers. Outsourcing.
Vendor disputes.
b l k
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
34/61
VII. Factors Contributing to operational risks
People Risk
Process Risk
Transaction Risk
Documentation/contract risk.
Operational Control Risk Model Risk
Systems Risk
Technology Risk-
MIS Risk.Event/external/ Risk
Legal and Regulatory Risk /compliance risk/
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
35/61
VIII. Roles and Responsibilities
1. The BoDs/LRRC
The LRRC shall:
1. Approve the operational risk management strategy,policies and appetite of the Bank;
2. Approve the ORMF of the Bank;3. Ensure the availability of robust operational risk
governance structure, process and the implementationof sound operational risk management principles;
4. Review significant operational risk exposure of theBank;
5. Approve public disclosures on operational risks
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
36/61
2. The Process CouncilThe PC shall:1. Oversee the proper implementation of the ORMF;
2. Implementthe Banks operational risk managementstrategy, priorities and policies;
3. Provide sufficient human and technical resources to supporteffective management of operational risk;
4. Maintain an appropriate culture and set a tone conducive toeffective and transparent operational risk management;
5. Eliminate gaps and overlaps in the operational risk
management responsibilities and authorities;6. Ensure that appropriate remedial actions are taken
whenever operational risk management breaches areidentified.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
37/61
2. The RCMPThe RCMP shall:1. Spearhead the proper implementation of the ORMF ;
2. Develop/review the operational risk management principles, process andmethodologies and monitoring their proper application;
3. Advise processes in the implementation of ORM framework and ensureconsistency and proper implementation across all processes of the Bank;
4. Conduct enterprise wide risk assessment and aggregate operational riskassessment results of all processes of the Bank;
5. Aggregate the operational risk database of the Bank;
6. Ensure the appropriate reporting of deviations and breaches of threshold tothe PC/LRRC;
7. Consolidate risk reports of the Processes of the Bank and escalate up to theManagement and Board;
8. Review policies and procedures in light of the operational risk profile of theBank;
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
38/61
2. The RCMP (continued..)
9. Develop the operational risk appetite, limit and threshold;10. Establishing criteria for setting risk analysis scope;
11. Coordinate appropriate and timely delivery of operational riskmanagement information;
12. Organize operational risk awareness and training program;
13. Ensure the PC/LRRC are made aware of material changes to theBanks operational risk profile;
14. Maintain portfolio of risk response activities and risk database;
15. Collect and maintain database of external loss database;
16. Oversee the effectiveness of operational risk communications;
17. Conducting operational risk training and awareness program;18. Propose capital for operational risk exposure.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
39/61
3. The Internal Audit ProcessThe Internal Audit Process shall: Monitor the effectiveness of ORMF & risk management
process;
Provide validation/independent assurance around the
KRI development process and incorporate output intoaudit plan;
Test and provide assurance as to the effectiveness ofinternal controls.
Identify corrective actions in relation to operation; Report its audit risk findings to the RCMP or Audit
Committee, as appropriate.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
40/61
4. All Processes of the BankAll Processes of the Bank shall:
1. Identify operational risk events/incidents (operational risk inherent in allmaterial products, activities, processes and systems) and maintain, asappropriate, process level operational risk database (including externalloss database) of their respective process;
2. Conduct operational risk and control assessment of their respective process;
3. Monitor operational alignment with applicable limits and tolerances;
4. Monitor control performance and periodically test control design;
5. Document all significant operational events/incidents as well as anymeasures taken to alleviate the issue;
6. Conduct the required level of operational risk awareness;7. Identifying IT-related risks and evaluating the level of IT-related risks;
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
41/61
4. All Processes of the Bank(continued..)
8. Creating the required level risk awareness in relation to the IT riskmanagement.
9. Ensure strict adherence to the Banks policies, procedures and standards ofthe Bank;
10. Monitor operational risk status against the established risk appetite;
11. Compile and report to the RCMP: Risk assessment findings/results;
Control assessment results/finding;
Performance/Status on KRIs;
Key risk with significant control weaknesses;
Breaches and deviations, if any.
12. Drawing action plans for: Operational risk assessment and control findings; and
Other operational risk assessment findings.
13. Ensure compliance to the approved policies and procedures of the Bank;
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
42/61
4. All Processes of the Bank(continued..)
14. Ensure adequacy of the existing control.15. Identify operational risk events/incidents (actual
loss, potential loss and near miss) and forwardingsame to the RCMP;
16. Identify, capture, and communicate pertinentinformation in a form and timeframe that enablesstaff to carry out their responsibilities;
17. Manage operational found within theirrespective domain;
18. Assess operational risks and the effectiveness ofcontrols associated with their respective domain;
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
43/61
4. All Processes of the Bank(continued..)
14. Design, operate, and monitor a suitable system of control.15. Verify that internal controls and practices are in place,
appropriate, operating effectively, and consistent with theBank Policies, legal and contractual obligations, andregulatory requirements.
16. Manage and review operational risks associated with theirrespective use of IT as part of day to day business activity.
17. Timely contribute to the monitoring, reporting, andescalation processes such that the PC is made aware of
material changes to the Banks IT-related risk profile;19. Devise risk response options and monitor itsimplementation
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
44/61
IX. Operational risk identification
Operational risk identification refers to the process of identifying operational risksassociated with each process of the Bank.
Activity Listing : This involves identifying all activities, processes and products of a Processthat are susceptible to operational risk.
Review Risk Lists and Lessons Learned: A great deal can be learned from reviewing riskdatabases from similar tasks, talking to process owners about risk management activities in
their areas, and reading case studies that identify risks to services or processes
Continual Identification: Identification happens as often as changes are able to affect the anyprocesss infrastructure/activities-which is to say, identification happens every day.
Discussions: This is a powerful way to expose assumptions and differing viewpoints. Theultimate goal of the identification discussion is to improve the organization's risk
management capability.
Cause and effect matrix: An effective solution, and one that has benefits later in the process,is to subdivide all of the possible conditions into a table with one row for each of the fourcauses of risk and one column for each of the four types of downstream effect.
Risk Statement Form: Role or function, Related service , Context , Related risks anddependencies among risks
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
45/61
IX. Operational risk identification(continued)
Risk Incident Reporting- Any risk events (loss, near misses, and potential)shall be reported, as happened, to the respective Process owner and theRCMP at the same time.
The identified events shall be analyzed and registered in the respectiverisk event register of the Bank.
Incident and loss data collection: Within the RCMP an incident and lossdata collection process is in place to collect, assess and monitor theoperational losses or potential losses and to define the allocation ofresources and to assess the losses due to operational risks. Internal lossevents may be viewed as actual loss, potential loss and nearmiss eventsexperienced by an organisation.
Actual loss an incident that has resulted in a negative financial impact for the business; Potential loss an incident that has been discovered, that may or may not ultimately result in a financial
loss; and
Near miss an incident discovered through means other than standard operating practices and throughgood fortune or focused management action which has resulted in nil or a positive financial impact (itshould be noted that a near miss could potentially result in a financial gain).
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
46/61
Incident assessment sheet
Incidentnarration
Possible
Cause
Possible
impact
Existing
control
Adequacy
Of control
Level of
risk
Required further
preventive action
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
47/61
Failure history log sheetS. No Event
(Incident
) ID
Particula
rs/
details ofthe
event
Details
of the
adverseevent
Asset
affected
(failed)
Cause Details of
damage,
loss and/ordisruption
Actions
taken to
reversethe
situation
Duration
of
disruption(if any)
Remark
Ri k I A l i F
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
48/61
Risk Impact Analysis Format
Risk
No.
Risk Summary Risk Impact Risk Impact Rating
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
49/61
X. Operational risk assessment
Operational risk assessment shall refer to the process of assessingthe likely frequency and severity of the identified risks.
Likelihood and Impact Analysis
To assess the likelihood and impact of the identified risks,
o the identified risks shall be prioritized and considered against the
existing controls;
o The residual risk shall be identified after existing controls(preventive and detective) have been applied to the inherent risks;
o
The impact/likelihood analysis shall be applied on the residual risk;o Based on the result of the assessment, risk have to prioritized
significant risks have to be identified, accordingly
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
50/61
Risk Assessment Matrixes
RiskNo.
Threat Vulnerability Risk RiskSummary
RiskLikelihood
Rating
RiskImpac
t
Rating
Overall RiskRating
Analysis ofRelevant
Controls and
Other Factors
Recomme-ndations
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
51/61
X. Operational risk assessment
..Continued
Likelihood Analysis
Impact/Magnitude Analysis
Risk Level Determination
Actions
Assigning Risk owner
XI
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
52/61
XI. Monitoring of Operational Risk
Monitoring is continual checking, supervising, critically observing ordetermining the status in order to identify change from the performance levelrequired or expected, it can be applied to a risk management framework, riskmanagement process ,the risk itself or the control.
To effectively monitor operational risks processes shall:
o The appropriate organ or individuals accepts accountability for operatingwithin its individual and portfolio tolerance levels;
o Periodically test control design and operating effectiveness;
o Ensure that there is a detailed examination of areas of residual risk outside oftolerance thresholds (e.g., request risk analysis).
XII
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
53/61
XII. An effective internal control system
The process designed, implemented and maintained by:
those charged with governance,
management and
other personnel, to provide reasonable assurance about the
achievement of an entity's objectives with regard to:(a) reliability of financial reporting,
(b) effectiveness and efficiency of operation,
(c) safeguarding of assets, and
(d) compliance with applicable laws and regulations.
l / f l k
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
54/61
XII. Controls/Mitigation of Operational Risk
...continued
The internal control process a sound internal control process is critical to a banks ability to meet its
established goals, and to maintain its financial viability
internal control is the responsibility of everyone in a bank
Almost all employees produce information used in the internal controlsystem or take other actions needed to effect control
the recognition by all employees of the need to carry out their
responsibilities effectively and to communicate to the appropriate level of
management any problems in operations
instances of non-compliance with the code of conduct, or other policyviolations or illegal actions that are noticed. It is essential that all
personnel within the bank understand the importance of internal control
and are actively engaged in the process
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
55/61
XII. Controls/Mitigation of Operational Risk
...continuedRequirements of effective internal control should be: an appropriate control structure set up, with control activities defined at every business
level;
top level reviews; appropriate activity controls for different processes or divisions;physical controls; checking for compliance with exposure limits and follow-up onnoncompliance;
a system of approvals and authorisations; and, a system of verification andreconciliation;
Areas of potential conflicts of interest should be identified, minimised, and subject tocareful, independent monitoring.
Information should be reliable, timely, accessible, and provided in a consistent format.
effective channels of communication to ensure that all staff fully understand andadhere to policies and procedures affecting their duties and responsibilities and thatother relevant information is reaching the appropriate personnel.
XII C l /Mi i i f O i l Ri k
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
56/61
XII. Controls/Mitigation of Operational Risk
Audit functions
an effective internal audit function that
independently evaluates the control systems
within the organisation
part of the ongoing monitoring of the bank's
system of internal controls and of its internal
capital assessment procedure,????
XII C l /Mi i i f O i l Ri k
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
57/61
XII. Controls/Mitigation of Operational Risk
...continued.
Mitigation of risks For all material operational risks that have been identified, the bank should
decide whether to use appropriate procedures to control and/or mitigate therisks, or bear the risks.
the decision to retain or self-insure the risk should be transparent within the
organisation and should be consistent with the banks overall business strategyand appetite for risk
For those risks that cannot be controlled, the bank should decide whether toaccept/tolerate these risks, reduce the level of business activity involved, orwithdraw/terminate from this activity completely.
Risk mitigation tools or programmes can be used to reduce the exposure to, orfrequency and/or severity of such events
However, we/banks should view risk mitigation tools as complementary to,rather than a replacement for, thorough internal operational risk control.
C l / i i i f O i l i k
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
58/61
XII. Controls/Mitigation of Operational Risk
...continued
Management Responses Tolerateo Positively take the risk (opportunity)
o Live with the risk
o Negatively accept the risk (threat) unable to respond
Terminateo Stop
o Dont start
Transfero
Insure, hedge, contract out, share (but be careful with this option) Treato Control likelihood, impact or both
o Through directive, preventive, detective and corrective controls
XIII Operational risk reporting req irements
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
59/61
XIII. Operational risk reporting requirements
Compile and report to the RCMP:
Risk assessment findings/results;
Control assessment results/finding;Performance/Status on KRIs;
Key risk with significant control
weaknesses;
Breaches and deviations, if any.
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
60/61
Incident reporting format
COMMERCIAL BANK OF ETHIOPIA
RISK AND COMPLIANCE MANAGEMENT PROCESS
OPERATIONAL RISK INCIDENT REPORTING FORMAT
For the month: __________________
Submission date Incident date Discovery date
Reported by
Process Sub process/branch
Position Name TelephoneReport submitted to:
Name Telephone
Detailed description/update
Incident narrative Cause Impact/Consequence
Data of corrective/preventive action taken
Details of corrective/preventive
action taken/to be takenDate of action Action owners
Financial Impact in Birr
Actual loss Potential loss
Recovered
amount Recovered by
Net Loss
(Act. loss - Rec. amt) Remark
To be completed by ORM team only
Operational risk category
Logged by (ORM officer-maker)Name
Date
Reviewed by (ORM officer-Checker)Name
Date
XIV. Tools for operational risk identification and
-
7/29/2019 01(Shime)Workshop on Operational Risk Management Slide
61/61
p
assessment
A. Audit Findings
B. Internal Loss Data Collection and Analysis
C. External Data Collection and Analysis
D. Risk Assessments
Risk Self Assessment(RSA)
Risk Control Self Assessments (RCSA)
Scorecards build on RCSAs
Business Process Mapping
Risk and Performance Indicators
Scenario Analysis and Measurements
Comparative Analysis