1

Rules for Risk: A Model for Managing Operational Risks

Featuring operational risk expert Philippa Girling, former head of operational risk at Morgan Stanley and Nomura

NOVEMBER 14, 2012Sponsored by

Questions?

OCTOBER 17, 2012

To ask a question … click on the “question icon” in the lower-right corner of your screen.

2

Follow the Conversation on Twitter

Use #HBRwebinar

@HBRExchange

Rules for Risk: A Model for Managing Operational Risks

Featuring operational risk expert Philippa Girling, former head of operational risk at Morgan Stanley and Nomura

NOVEMBER 14, 2012

3

Today’s Speaker

Philippa GirlingOperational Risk Expert

Rules for Risk: A Model for Managing Operational Risks

NOVEMBER 14, 2012

Philippa Girling, Esq., FRM,November 14th, 2012

RULES FOR RISK: A MODEL FOR MANAGING OPERATIONAL RISKS

6

4

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK

Definition:Risk of loss resulting from failed or inadequate people, systems, processes or external events

Includes legal risk

Excludes reputational risk

7

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK & SANDY

Hurricane SandyPower

Connectivity

Phones

Physical damage

Exchange shut down

Life safety

Business continuity & disaster recovery

8

5

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK AT THE OLYMPICS

People: Nervous athletes, opinionated officials, aggressive press, terrorists, disgruntled Londoners, (missing) security guards, confused volunteers, crazed fans, lost children, Heads of State, visiting dignitaries and the list goes on

Processes and systems:Stadium building and preparation, ticket sales, transportation, opening ceremonies, closing ceremonies, Olympic village management, cleaning, feeding, running races, organizing matches, safety checks of the parallel bars, awarding medals, playing anthems, global broadcasting, keeping that darned flame alight and the list goes on.

External Events:Two words – London Weather.

9

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK IN THE MARKETS

Knight CapitalTechnology risk leads to $400m loss

Process failure

UBS Rogue TraderKweku Adoboli

Unauthorized trading leads to over $2b loss

Some Societe Generale control failures repeat

JP Morgan WhaleBruno Iksil leads trading strategy that results in at least $2b loss

Standard Chartered and others…$340m AML fine

10

6

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

MANY IMPACTS

FinancialDirect & indirect

ReputationalShare value decline

Client

Regulatory & Legal

Life Safety

11

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK CATEGORIES

Internal FraudLosses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party.

External Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party.

12

7

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK CATEGORIES

Internal Fraud

External Fraud

Employment Practices and Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events

13

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK CATEGORIES

Internal Fraud

External Fraud

Employment Practices and Workplace Safety

Clients, Products & Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.

14

8

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK CATEGORIES

Internal Fraud

External Fraud

Employment Practices and Workplace Safety

Clients, Products & Business Practices

Execution, Delivery and Process ManagementLosses from failed transaction processing or process management, from relations with trade counterparties and vendors.

15

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK CATEGORIES

Internal Fraud

External Fraud

Employment Practices and Workplace Safety

Clients, Products & Business Practices

Execution, Delivery and Process Management

Business Disruption and System FailureLosses arising from disruption of business or system failures

16

9

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK CATEGORIES

Internal Fraud

External Fraud

Employment Practices and Workplace Safety

Clients, Products & Business Practices

Execution, Delivery and Process Management

Business Disruption and System Failure

Damage to Physical AssetsLosses arising from loss or damage to physical assets from natural disaster or other events.

17

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK CHALLENGE

Definition“The risk of loss resulting from inadequate or failed internal processes, people and systems or external events”

Similar to other risk types:Rigor should be applied to the management of operational risk.

Failure to properly manage operational risk can result in a misstatement of an institution’s risk profile and expose the institution to significant losses

Regulatory requirement

Business drivers

Different to other risk typesTypically not directly taken in return for an expected reward

Exists in the natural course of corporate activity

18

10

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

RISK MANAGEMENT GOALS

Identify

Assess

Control & Monitor

Mitigate

&

Hold capital as protection

19

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

THESE TENETS AT THE OLYMPICS

All seven categories of operational risk were present in the headlines:Olympic badminton players disqualified for trying to lose - Internal FraudLondon Olympics Fake Tickets Create ‘Honeypot’ for Criminals - External Fraud Empty seats at Olympic venues prompt investigation - Clients, Products and Business PracticesDispute Between London Olympics and Musicians Union Heats Up - Employment Practice and Workplace SafetyNATB calls London Olympics ticket distribution a failure - Execution, Delivery and Process ManagementOlympic security shortfall called “absolute chaos” - Damage to Physical AssetsLondon 2012: Traffic jams and impact of Games Lanes - Business Disruption and System Failure

Identify, assess, control and mitigateManagement use a common model to identify and assess the impact of risks to their business. For each risk, the likelihood and consequence are identified, management controls and the frequency of monitoring are confirmed and results reported.

Annual Report of the The London Organising Committee of the Olympic Games and Paralympic Games Ltd (LOCOG) p33

20

See blog at www.pxgassociates.com for details

11

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK FRAMEWORK

21

Gov

erna

nce

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK FRAMEWORK

22

Culture and Awareness

Gov

erna

nce

12

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK FRAMEWORK

23

Culture and Awareness

Policies and Procedures

Gov

erna

nce

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK FRAMEWORK

24

RCSA* Scenario Analysis

Key Risk Indicators

Internal Loss Data

External Loss Data

Culture and Awareness

Policies and Procedures

Gov

erna

nce

* Risk & Control Self Assessments

13

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK FRAMEWORK

25

RCSA* Scenario Analysis

Key Risk Indicators

Internal Loss Data

External Loss Data

Measurement and Modeling

Reporting

Culture and Awareness

Policies and Procedures

Gov

erna

nce

* Risk & Control Self Assessments

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK FRAMEWORK

26

RCSA* Scenario Analysis

Key Risk Indicators

Internal Loss Data

External Loss Data

Measurement and Modeling

Reporting

Culture and Awareness

Policies and Procedures

Ris

k ap

peti

te

Gov

erna

nce

* Risk & Control Self Assessments

14

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

GOVERNANCE

Who owns operational risk function?CRO, COO, CFO?

What does operational risk function own?Business continuity?

SOX?

Information Security?

New product approval?

Supplier risk management?

Business line operational risk managers?

27

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

CULTURE AND AWARENESS

Be clear about the brand

Market the benefits and expectations

Train broadly

Engage sponsors

28

15

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

POLICIES AND PROCEDURES

Regulatory expectationEngagement toolBest practiceAudit toolWrite:

Operational risk policyInclude standards, governance and monitoring and enforcement

Loss data procures

Assessment procedures

Metric procedures

Reporting procedures

29

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

LOSS DATA

Internal loss dataSet clear standardsProvide training and toolInclude regulatory and business requirements in design

External loss dataTap available sources: Algo First, ORX, SAS

Uses of loss dataIdentify risk areas and control weaknessesAgree mitigating actions and ownersPrioritize risk reductionProvide information for RCSA and Scenario AnalysisIdentify potential metrics

30

16

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

ASSESSMENT

Risk and Control Self Assessment (RCSA)Workshop approaches

Questionnaire approaches

Scoring methods

Score inherent and residual risk?

Score control effectiveness (design and performance)

Consider multiple impact categories

Timing: annual, quarterly, continuous

Attach metrics

Tools available

31

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

SCENARIO ANALYSIS

Process to identify rare catastrophic risks

Uses:Input into capital calculation

Engage business in very large operational risk discussion

Identify key areas for risk mitigation

32

17

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

METRICS AND KRIS

Not everything that counts can be counted and not everything that can be counted, counts.

Select metrics wisely

Don’t frisk the ant, while the elephant walks by

Consider metrics after RCSA, attach to key risks and controls

Define carefully

Ensure clear ownership

Quality check

Use them as tools in the toolbox,

33

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

CAPITAL MODELING

Basel II requirement that operational risk capital be held using an advanced measurement approach

Include all four elements in capital model:Internal loss data

External loss data

Scenario analysis

Business environment internal control factors

34

18

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

REPORTING

Never produce a ‘so what’ report

Provide risk analysis and require decisions

Use reporting as escalation tool under governance structure

Include:Relevant loss data trends and concerns (internal and external)

Metrics analysis highlighting risk reduction or increases

Assessment output and themes

Progress on risk mitigating actions

Design to suit the audience

35

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

RISK APPETITE

Difficult to articulate

Consider:Loss data ‘limits’

Metrics thresholds

Qualitative risk assessment scoring

All impact types

36

19

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

ENTERPRISE RISK MANAGEMENT

37

Reputational

Geopolitical

ERM

Market

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

OPERATIONAL RISK FRAMEWORK

38

RCSA* Scenario Analysis

Key Risk Indicators

Internal Loss Data

External Loss Data

Measurement and Modeling

Reporting

Culture and Awareness

Policies and Procedures

Ris

k ap

peti

te

Gov

erna

nce

* Risk & Control Self Assessments

20

Rules for Risk: A Model for Managing Operational Risk

© Philippa Girling 2012 Reproduction only with Permission

Q&A

Philippa Girling

pxgirling@pxgassociates.com

973 460 2745

39

Questions?

OCTOBER 17, 2012

To ask a question … click on the “question icon” in the lower-right corner of your screen.

21

Thank you for joining us!

NOVEMBER 14, 2012

This presentation was made possible by Zurich, a global leader in risk management services and insurance solutions. For more information about Zurich’s portfolio of products and services, visit:

www.zurichna.com

Sponsored by