Operational Risk Management Framework in Soneri Bank

OPERATIONAL RISK MANAGEMENT

FRAMEWORK IN SONERI BANK

MBA Research Project

Fall 2013

Group

Imtiaz Ahmed Hanfi ()

Arif Hussain Tirmizi ( )

Supervised by

Syed Farhan Shakeel

ABSTRACT

Banks face many risks, which should be managed. Though their core competences is to

cut down excess occurring costs and ensure to maximize their profits. Operational risk is

increasingly important in the management and corporate governance of a bank, which

increasingly have greater implications and interactions with other risks, such as market or

credit risk. The management and analysis of operational risk is a necessary activity for

bank, presenting many opportunities for development and a major field of study on

conceptual and practical issues due to the particularity and complexity implied in this

type of risk. Making use of secondary data collected through library research, journals

and analysis of reports, the paper reviewed the operational risks of banks and their

management. Soneri Bank has been selected as case study in order to understand

operational risk management in Banks in Pakistan.

The BASEL II adopted SBP inexorably increased the need of an effective management of

operational risks, the development and implementation of structured methodologies for

the analysis and quantification of operational risk within the bank.

OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 2

ACKNOWLEDGEMENT

Completion of our MBA research project was only possible due to the motivation and

helping hand of many others along with our own efforts. We would take this opportunity to

express our heartfelt gratitude to the people who have been instrumental in the successful

completion of this project.

Foremost, we would like to express our deep gratitude and respect to Mr Syed Farhan

Shakeel whose advices and insights were invaluable to us and without his motivation and

encouragement, this research project would not have materialized. We cannot express our

gratitude for your tremendous help throughout the course of this project.

Secondly, this report would have not been possible without the respondents who took the

time to respond to our questionnaire and enabled us to finish term report in a timely manner.

The guidance and support received from all the members who contributed and who are

contributing to this project, was vital for the success of the project. We are grateful for their

constant support and help.


Table of ContentsABSTRACT.....................................................................................................................................ii

ACKNOWLEDGEMENT...............................................................................................................iii

List of Tables..................................................................................................................................vii

CHAPTER ONE: BACKGROUND OF THE TOPIC AND STATEMENT OF THE PROBLEM 1

Introduction.......................................................................................................................................1

I. The Basel II Framework...........................................................................................1

II. The Risk Management Guidelines of the State Bank of Pakistan........................2

Problem Statement............................................................................................................................2

Scope.................................................................................................................................................3

Delimitation......................................................................................................................................3

Objectives.........................................................................................................................................3

Definition of Operational Risk.........................................................................................................3

Causes of Operational Risk.............................................................................................4

CHAPTER TWO: RESEARCH METHOD & PROCEDURE........................................................6

Research Design & Methods............................................................................................................6

Respondents of the Study.................................................................................................................6

Research Instrument.........................................................................................................................6

Sources of Data.................................................................................................................................6

Treatment of Data.............................................................................................................................6

CHAPTER THREE: LITERATURE REVIEW...............................................................................7

Introduction.......................................................................................................................................7

I. Identification of Operational Risk............................................................................7

1) Definition of Operational Risk............................................................................10

2) Underlying Operational Risk Factors.................................................................13

i) People..................................................................................................................14


ii) Systems (Technology).....................................................................................16

iii) Processes.........................................................................................................17

iv) External Factors...............................................................................................18

3) Methods of Risk Identification...........................................................................20

Conceptual Framework...................................................................................................................22

CHAPTER FOUR: PRESENTATION ANALYSIS......................................................................23

Operational Risk Management Framework....................................................................................23

I. Risk Identification and Assessment........................................................................24

II. Risk Monitoring..................................................................................................24

III. Risk and Loss Event Reporting...........................................................................25

IV. Other....................................................................................................................25

Policy and Strategy for Operational Risk Management.................................................................25

ORM Overall Strategy...................................................................................................26

V. Strategy for Operational Risk Identification and Assessment............................26

VI. Strategy for Operational Risk Monitoring and Mitigation..................................29

Operational Risk Monitoring.....................................................................................30

Operational Risk Mitigation......................................................................................30

VII. Strategy for Operational Risk Reporting and Measurement...............................31

Risk and Control Self Assessment (RCSA)....................................................................................32

Purpose of RCSA...........................................................................................................32

Likelihood Grid...............................................................................................................................34

Impact Grid.....................................................................................................................................35

Heat Map.........................................................................................................................................36

Analysis of Data from Survey........................................................................................................37

CHAPTER FIVE: SUMMARY OF FINDINGS, CONCLUSION & RECOMMENDATION....42

Findings..........................................................................................................................................42


I. Interview.................................................................................................................42

II. Survey Results.....................................................................................................43

Conclusion......................................................................................................................................43

APPENDIX.....................................................................................................................................45

Questionnaire..................................................................................................................................45

References.......................................................................................................................................49


List of Tables

Table 1.1 Source: (Laycock, 1998)......................................................................................9

Table 1.2: Taken form Crouchy (2000).............................................................................10

Table 2.1: Risk Impact Table …………………………………………………….......... 28

Table 2.2: Risk Likelihood Table ……………………………………………………...

28Table 2.3: Activity based Risk & Control Self Assessment at Soneri Bank ………......

33Table 2.4: Likelihood Grid

………………………………………………………….......34Table 2.5: Impact

Grid………………………………………………………………….. 36Table 2.6: Soneri

Bank's Heat Map ……………………………………………………. 36.............................


CHAPTER ONE: BACKGROUND OF THE TOPIC AND

STATEMENT OF THE PROBLEM

Introduction

Banking business is all about managing risks and returns. The accomplishment of

which continues to present a key test to all banking institution. Success of the bank is

consequently dependent on how well the bank manages its risks. The foremost purpose is

not to eliminate risk, but to be hands-on in assessing and running risks to its strategic

benefit.

Banks have been in the course of an intense period of transformation in the past few

years, changes which have significantly enhanced the potential for operational risk.

Improved regulation, mergers and acquisitions, internal reformation and changes to

systems and technology confront management with a possible minefield of risks as well

as issues.

Previously, operational risk has been dealt by internal control methods within business

lines, supplemented by the Audit function. The industry has now started to use explicit

structures and control processes altered to operational risk mitigation. As operational

risks advanced with the increasing complexity of the Bank’s activities, the acceptance of

a risk management framework is crucial in order to control this risk.

I. The Basel II Framework

The global banking sector and controllers now face new challenges with the requirements

spelled out in the Revised Framework for International Convergence of Capital

Measurement and Capital Standards (often referred to as the “Basel II Accord”) projected

by the Basel Committee on Banking Supervision. The Basel II Accord characterizes the

regulatory capital framework that replaced the existing 1988 Capital Accord through an

additional risk-sensitive framework and introduced for the first time an obligation to hold

capital against operational risk.


Significant transformation in the risk management practices, regulatory environment and

financial markets over the last decade, has resulted in the need to strengthen the stability

of the international banking system. The framework places increased focus on

compliance and supervisory evaluation, and also on capital management, which is

expected to be achieved through a closer alignment of capital to actual risks (risk

sensitive capital requirements).

The Basel II Accord introduced the subsequent three approaches for the computation of

operational risk capital charge:

a) Basic Indicator Approach (BIA)

b) The Standardized Approach (TSA)

c) Advance Measurement Approach (AMA)

II. The Risk Management Guidelines of the State Bank of Pak-

istan

The SBP has adopted the Basel II Accord vide its BSD circular No.8 dated June 27, 2006

detailing the instructions and rules relating to the capital adequacy requirements under the

said Accord.

According to the circular, banks may choose to adopt either BIA or TSA while the AMA

is not being proposed at the moment. However, banks are advised to follow the

international best practices, with reference to data availability and the sophistication of

their risk management framework, and may prepare themselves for an early adoption of

AMA, as and when approved by the SBP.

Problem Statement

To identify the current status and the underlying factors of operational risk management,

in order to provide a comprehensive description of Operational Risk Framework.


Scope

This study would be conducted on one of the emerging bank in Pakistan i.e. Soneri Bank.

The participants for qualitative research are bankers from the operational department of

Soneri Bank in Karachi who shall be interviewed.

Delimitation

Our study primarily focuses on three main factors of operational risk only.

People

Process and System

External Factor

Objectives

The purpose of this study is to suggest a structured approach for operational risk in a

banking environment in order to protect the interest of the stakeholders as follows:

Providing depositors with greater reliability;

Providing quality services to customers and to increase their confidence in doing

business with the Bank;

Providing employees with the best possible working environment to improve their

morale and efficiency, and

Improving the overall financial image and reputation in front of the government

and regulators.

Definition of Operational Risk

Basel II Accord describes operational risk as the possibility of loss resulting from

inadequate or failed internal processes, people and systems or external events. This

definition takes account of legal risk, but eliminates strategic and reputational risk.

Though reputational risk is not formally integrated in the classification of operational risk

under the Accord, however the Bank considers the reputational consequences of failures

in operational risk management as component of the ORM framework across the Bank.


From the Bank’s perspective, operational risk is classified as the risk of loss resulting due

to inadequate or failed internal processes, people and systems or external events. This

classification consists of legal risk as well as the reputational consequences of failures in

operational risk management.

Causes of Operational Risk

Risk is stated in terms of three components: event, cause and effect. This can be

explained by an easy example, a worm virus:

a. Event (Risk) – a virus enters your computer;

b. Cause – the external cause is a hacker, the internal cause is a lack of current virus

protection software; and

c. Effect or consequence – computer software fails; data is lost, with potential finan-

cial and non-financial consequences.

d. Identifying the root cause of an event (risk) helps to isolate operational losses

from other types of losses and to understand what action might be appropriate to

mitigate the risk level. Some examples of operational risk causes include:

lack of policies and procedures

insufficient segregation of duties

not enough training

insufficient activity management

lack of management review and supervision

insufficient analyses

information processing mistakes

not enough physical controls

inadequate business continuity plan and disaster recovery plan

risk factors that are not in the control of the bank

When the root cause of a loss event or probable loss is internal, the center of attention

must be on how to cater the causal factor(s). This usually involves changing a business

process or enhancing controls to decrease the potential odds and impact of a risk event.

For example if “miscommunication” of significant information resulted in some serious


consequences, consideration should be given to develop the quality of communications

may be via implementing a rigorous Management Information System (MIS).

When the root cause of a loss event or probable loss is external, focus should be on how

well the key risk indicators (that are not in the Bank’s control) are being monitored.

CHAPTER TWO: RESEARCH METHOD & PROCEDURE


Research Design & Methods

Research Type: Qualitative.

Research strategy is case study.

Data Collection: Primary data and Secondary Data

Respondents of the Study

Soneri Bank personnel who are directly and indirectly involved in managing operational

risks.

Research Instrument

Research instrument which will be used to collect data pertaining to our research will be

done through interviews, questionnaire and documented data of Soneri Bank.

Sources of Data

The data for the guidelines with respect to ORM at Soneri bank have been obtained from

the risk management guidelines of the State Bank of Pakistan (SBP) and the Basel II

Accord issued by the Basel Committee and adopted by the SBP.

Treatment of Data

Data gathered will be inferred according to our own understanding of an optimal research

framework and results obtained through survey will be analyzed through excel graph.

CHAPTER THREE: LITERATURE REVIEW


Introduction

Globalization and new technology have provided the banking industry with profit-making

opportunities but have also made it more vulnerable to operational risk. It seems that the

industry’s risk-control capabilities have not kept pace with these developments as proved

by, for example, the Barings bank trading saga in 1995. This occurrence, together with

many others, motivated banks to take a more proactive approach to operational risk

management.

The first challenge is to identify the underlying risk factors on which a definition for

operational risk could be based. This definition could, in turn, be used for the

classification of operational risk in the identification process. The second challenge is to

evaluate the risk factor to determine their potential impact on banking institutions. The

appropriate techniques available to measure these factors, and therefore control them,

will also be discussed. Thirdly, risk control will be addressed in terms of the activities

needed to eliminate or reduce the potential adverse effects of the underlying risk factors

as well as the organizational structure that should be in place to support risk management

activities. Lastly, the cost of managing operational risk will be discussed.

I. Identification of Operational Risk

According to Williams (2000) determining operational risk depends on a particular firm

and also states that “The key thing is that firms really need an internal definition of

operational risk. People talk about key factors or key risk factors with the idea being to

pick a finite list of things that you believe you have exposure to, and then prioritize those

and focus on the ones that seem to be the most important.”

Williams (2000) emphasizes that risk identification, as the first step of a risk management

process, provides an important foundation for the firm to rely on in the future.

Furthermore, if there is not a clear understanding of what operational risk means to the

individual business units and corporation as a whole, the ability to build any technology

systems for the measurements and management of the risks will not be possible.

It might sound straightforward; it often causes confusion as manager’s focus on the

effect, rather than the cause of the risk. In this regards, (Rachlin, 1998) states that banks


often try to reduce the symptoms rather than try to rectify the underlying problems.

Hence, the necessity to take a brief looks at cause and effects of operational risk.

RISK FACTOR CAUSE EFFECT

People (Human Resource) Loss of key staff due to

defection of key staff to

competitor.

Variance in revenues

Process Declining productivity as

value grows

Variance in process costs

from predicted levels

Technology Year 2000 upgrade

expenditure

Variance in technology

running costs from

predicted

Source: Adapted from (Crouchy, 2000)

(Laycock, 1998) Lists six categories of causes that could give rise to operational risk

(Table1.1)

PEOPLE/EMPLOYEES

- Errors

- Misdeeds

- Employment law

- Employer’s liability

- Absence/Loss of key staff

- Organizational structure

- Corporate Governance

- Wrongful trading

CUSTOMER RELATIONSHIP

- Client suitability

- Client capacity

- Client power/authority to transact

- Money laundering

TECHNOLOGY


- System failure

- System integrity

- System age

- System suitability

- System support

- System conformance to corporate standards

- Model risk

- Data quality

ASSETS

- Business interruption

- Asset loss/destruction

- Third party left

- Fraud

REGULATOR/SUPPLIERS

- Legal risk

- Compliance with standards

- Changes in regulatory standards

- Supplier “Failure”

OTHER

- Project risk

- Reputation risk

Table 1.1 Source: (Laycock, 1998)

This list is, however, not exhaustive and presents only one way of categorizing the causes

and events relating to operational risk. Among the categories list are some that are

extremely difficult or impossible to quantify, such as, the organizational issues.

Crouchy (2000) states that operational risk can be broken down into three main risk

factors namely the failure of people, processes and technology deployed within the

business (Table 1.2). They also classify these main risks factors according to internal and


external dependencies. Internal dependencies should be analyzed according to a set of

common features consisting of three key components, namely, capacity, capability and

availability.

Table 1.2: Taken form Crouchy (2000)

1) Definition of Operational Risk

From the above discussion it is evident that an accepted definition from operational risk

should include both the internal and external underlying factors. A suggested working

definition for operational risk by the (Authority, 1999) is: “The risk that the continuation

of business may lead to loss as a result of human fallibility, technological shortcomings

and/or various external factors. A bank should mitigate these risks through the use of

systems and controls. However, if the latter is inadequate, they may constitute new risks

and/or exacerbate existing risks”


The factors, included in the definition, could be easily identified as:

People (human fallibility)

System (technological shortcomings and breakdowns)

Processes (system sand control)

External factors

It could, however, be said that other risks that a bank is exposed to could also include the

above mentioned factors. As such it is important to qualify the interrelation of these

operational risk factors with the other primary risks, such as credit risk, market risk,

liquidity risk and country risk. It is, therefore, imperative to distinguish clearly between

operational risk and other risk to ensure a more positive management approach towards

operational risk.

According to the (Authority, 1999) it is imperative that a definition of operational risk

should be as comprehensive as possible. It is prudent to consider all the risks that an

institution faces and to mitigate those risks. Failure to include a risk explicitly in a

definition may result in failure to consider that risk. Therefore, the inclusion of the

underlying factors of operational risk in its definition is imperative. Reflecting the main

underlying risk factors in the definition of operational risk could also assist the process of

evaluating and quantifying operational risk for control purposes.

During a conference on 21 May 1998, the Operational Risk Forum decided to identify a

narrow and a wide definition of operational risk.

Narrow Definition: Operational risk is seen as risk residing in department called

“operations” and is described as those errors and omissions of controls, system

and processes which may lead to potential losses.

Wide definition: Operational risk is seen as all risks not covered by market or

credit risk. The problem with this approach is that it may leave an unidentified

residue, which could impact the income statement materially and undermine the

wide definition approach.

In order to accommodate the wide and narrow definitions, the Operational Risk Forum

defined operational risk as follows:


“Operational risk is the exposure to potential financial losses. Such losses may be

caused by internal or external events, trends and changes, which were not captured by the

corporate governance and internal control framework, systems, policies, organization,

ethical standard or other key controls and standards of the firm. Such losses exclude those

already captured by other risk categories such as market, credit, or strategic/business

risk”

Although this definition includes the main underlying operational risk factors (People,

system, process and external factors), it also includes other elements or “sub-risk” factors

such as policies, control framework and ethical standards. This approach could possibly

lend itself to the omission of other factors, for example, procedure, organizational

structures and risk principles. This definition, although comprehensive, should rather be

stated differently by referring to only the main underlying risk factors. This will ensure

that no “sub-risk” factors are omitted and that is still covers the requirements of a narrow

and wide approach.

Taking into account all the previously discussed viewpoints of operational risk, a suitable

definition for operational risk management in a banking environment could be the

following:

Operational risk is the exposure of a bank to possible losses, resulting from inadequacy

and/or failure in the execution of its operations. The source of these losses could be

process, people, system and external events.

This definition firstly comprises the main underlying operational risk factors, namely,

people, processes and systems. Although the factors are seen as an integral part of

operational risk, they could also have an influence on the total organization in term of its

operations. As such, it is important to take cognizance of interrelationships between

operational risk and the other main risk types like credit, market and liquidity risk. The

following example illustrates the interrelationship between operational and credit risk:

The failure of a bank’s credit system could result in a loss of credit business.

Although it is a loss in term of credit business, the loss is a result of the system

failure. As such, the loss should be classified as an operational loss. The actual

risk (operational risk) should be addressed by operational risk control measures,


for example, to ensure that back-up system are in place to prevent any losses due

the system failures.

Secondly, the definition includes the risk pertaining to the external factors which are

beyond the direst control of a bank. The definition looks specifically at the adverse effect

external factors could have on the ban if the people, processes and systems cannot cope

with them. For example:

If lightning should neutralize the internal system of a bank, preventing the bank

from doing business, it could result in a loss. The adverse effect on the systems

could be seen as an operational risk exposure; hence the necessity to address it

accordingly to an operational risks management process. For instance, having a

backup system to ensure the normal continuation of business could be seen as an

operational risk control mechanism.

Thirdly, the definition excludes the risk exposures to a bank caused by other risks such as

market, credit, liquidity, and country. The intention of the definition is to indicate in a

positive way what operational risk entails rather than to indicate that it consist of all

factors not covered by the aforementioned risks. This positive approach towards

operational risk should allow management to be more specific in addressing all the

relevant operational risk factors.

2) Underlying Operational Risk Factors

Katz (1995) stated that no business should be entered into without a full and early

assessment being made of the underlying risk factors that relate to it. Furthermore, all risk

factors need to be identified such that credit, operating, accounting, reporting and risk

management tools can be put in place. Davies (1998) states that a central requirement of a

risk allocation process is to be able to assess the extent to which the exposure to a risk

factor increases or decreases the expected volatility of earnings. This emphasizes the

necessity to identify risk factors with sufficient precision to be able to monitor and

control them effectively.

In the previous section operational risk was defined based on the primary underlying

operational risk factors that were identified as:

People


System (Technology)

Processes

External factor

This section deals in detail with each of these underlying factors to determine their effect

on operational risk.

During the detailed analysis of the primary underlying operational risk factors, additional

sub-risk of operational risk will be identified, for example, people as a risk factor could

result from human error, which could cause fraud and subsequently be viewed as fraud

risk. However, it must be emphasized that the dynamic nature of a business could

influence its exposure to risks and additional underlying risk factors could evolve,

changing the overall potential effect of operational risk.

i) People

The success of a business is dependent on the knowledge, skill and capability of the

persons involved in all of the business processes.

Kingsley (1998) stated that people are most important resource of a company and

historically, they have been overlooked while assessing operational risk, as it is hard to

judge the risk of:

Human mistake

Lack of reliability

Lack of separation of duties

Poor customer service

Dependency on key individuals

inadequate skills,

Lack of training

Kingsley (1998) argued that one of the major reasons in many dramatic failures is people

risk as it is very difficult to measure.

From the above, it is evident that people risk could include a variety of sub-risk which

should be addressed during a risk management process.

Integrity:


o Fraud

o Collusion

o Malice, the unauthorized use of information

o Rogue trading

Competency

Management

Personnel

Health and safety

Authority (1999) identified the following primary sources of people risks:

Incompetent staff

Human mistake

Poor working environment

High staff turnover

Poor communication

Unauthorized decision making

Wilson (2000) states that human resources (people) risk in not just the responsibility of

the human resources department, although they do contribute to controlling of the risk.

The business units themselves have specific responsibilities regarding the control of

operational risk. For example, given the rogue trader problems, which some banks have

suffered, it is also important that the operational risk manager checks that the human

resources department has sufficient controls with regards to personnel security, namely:

Hiring process

o References and working credentials

o Existing and ongoing security training and awareness program

o Job descriptions defining security roles and responsibilities

Termination procedures

o The extent of the termination debriefing

o Ensuring revocation of physical access (cards, keys, system access author-

ity ID etc)


ii) Systems (Technology)

A bank faces operational risk when the system it chooses is not designed or implemented

according to the requirements of end users both internal and external. For example, if the

systems of the banks are too slow then it would results delays in customer service. A

further problem banks face is the rapid changing technology which exposes the banks

with the risk of systems obsolescence. For example, electronic banking systems require

regular updating. This type of software poses a risk for bank as criminal or malicious

individuals could interrupt and modify it, leading to potential losses. In addition, staff

must be trained for new technology, so that they could understand and run the new

systems. So, whenever the technology changes, it exposes the bank to operational risk.

Operational risk could also be identified in terms of a risk resulting from system failures,

which reflects the possibility that the systems are inherently flawed and could arise from

various factors. Various authors include systems to define operational risk as shown in

the following extracts.

“…risks are those of malfunctioning of the information systems...”

“…the potential for adverse fluctuation due to the effects attributable to system...”

“...the risk runs by a firm … its internal practices, policies and systems...”

“Operational risk arises from the potential for inadequate systems...”

According to Wilson (2000), technology risk is at the heart of a business, such as,

investment banking and should be addressed during the implementation of any system

changes or developments. A firm could be exposed across all business areas to general

technology risk. He lists the following types of risk protection against the system risk:

Physical protection

Functional protection

Data protection

The sub-risks factor of system could be summarized as follows:

System failures

Security breaches

Non-development of systems and implementation failure

Insufficient systems capacity


Poor data integrity

This list could be expanded or formulated more accurately according to the systems need

of an organization.

iii) Processes

According to various definitions of operational risk, it is once again evident that

processes form an integral part of operational risk and could thus be seen as a main

underlying risk factor. This is substantiated by the following examples:

“The risk of loss caused by failure in operational processes…”

“Operational risk is the exposure to financial or other damage arising through un-

foreseen events or failure in operational processes…”

“Risks are associated with any other day-to-day business processing…”

“Operational risk involves processing…”

“Operational risk arises from failure to control … processing…”

“Operational risk is the potential for loss caused by events such as the breakdown

of processes…”

The process environment forms a part of the operations environment and the

components of the environment act upon and influences each other (Davies, 1998).

Thus an external event, such as, the introduction of the Euro, could have an impact on

a bank’s process environment as it could influence the internal processes which relate

to the activities involved in dealing with the Euro.

The process environment ultimately controls the quality of data integrity. This,

according to Davies includes both static data and transaction data.

The risk could arise at any part of the process from order capture to the recording of

the transaction to the general ledger. Davies state that operational risk is therefore not

limited to operation functions and may also exist in the following circumstances.

Set Up

o The set up of new instruments and counterparties

o New business process to control the migration of new products into the

process environment

Pre-Settlement Activity


The settlement and agreement of trade data and details of settlements with

third parties:

o Trade capture

o Confirmation/affirmation

o Balancing to exchanges, and

o Maintenance events, for example, rates re-fixes and expiries

Post-settlement activity

The movement of and control over, cash and physical assets:

o Processing of the movement of assets, such as cash and stock

o Inventory management, for example, custody and corporate actions pro-

cessing and

o Reconciliation of internal records to custodians and agents

In order to address the processing risks, as part of operational risk, it must be determined

exactly where the risks are within each environment. According to Davies, this activity

can be initiated by looking at the process flow of a single trade, determining where the

risk occurs and how it can be measured.

It is also evident that processes form an integral part of operational risk; it must be

determined exactly where the risks are within each environment. According to Davies,

this activity can be initiated by looking at the process flow of a single trade, determining

where the risk occurs and how it can be measured.

It is also evident that processes form an integral part of operational risk and could thus be

seen as one of its main underlying risk factors.

iv) External Factors

External factors beyond the direct control and influence of the organization could have an

adverse effect on the internal underlying operational factors. It is imperative therefore

that these external factors should be considered during an operational risk management

process. The following extracts from various definitions confirm this view:

“Operational risk also includes losses from external events…”


“Operational strategic risk originates outside the firm since it stems mainly from

external areas such as regulatory and fraud risk…”

“…risk of business disruption, control failures, errors, misdeeds or external

events…”

It is important to understand that reference to external events is not intended to include

defaults or market factors that would be captured under definitions of market and/or

credit risk.

According to Authority (1999)Fraud risk is considered as an external risk factor.

However, it could also evolve internally. Mayland (1993) states that fraud risk is the risk

that results from illegal actions of bank’s employees, customers, additional parties on a

transaction or outside intruders. Systemic risk is also seen as a sub-risk factor. Mayland

states that systemic risk arises when a bank participates in a payments or securities

clearance network. If a network participant, for example, fails to settle and causes other

participants to have liquidity problems, it is possible it could also suffer liquidity

problems.

Systemic risks however, are a legitimate concern of credit administration and credit

policy executives. There is a great deal of regulatory concern for systemic risk and most

of the payments, securities and derivatives networks devote a great deal of effort to

understanding and controlling systemic risk.

Regulations are another external factor that could cause operational risk for a bank.

Mayland (1993) states that the regulations are concerned that some banks are not

devoting enough management attention to the “off-balance-sheet” risks associated with

corporate services. Regulators are therefore responding with specific requirements that

force banks to manage operating risks as one of their priorities.

Because banks have no direct control over that part of operational risk which is generated

by the external factors, it is difficult to manage it proactively. Although it is difficult to

quantify these factors, it is important for a bank to anticipate and address the relevant

issues in order to reduce the factors’ adverse effects.


As with the other main underlying risk factors of operational risk, external factors can be

divided into sub-risks to demarcate the areas that should be addressed during the

management process, namely:

Criminal activities

Catastrophes/natural disasters

Regulations/compliance

Information Security

Economic and Political activities

Once again it must be emphasized that this list could be expanded, depending on the

exposures of an organization.

3) Methods of Risk Identification

The Financial and Management Accounting Committee (FMAC) states that management

and other relevant personnel could identify the key risks in number of ways, for example:

- Workshop and interviews

- Brainstorming

- Questionnaires

- Process mapping,

- Comparisons with other organizations.

- Discussion with peers

The Authority (1999) states that the tools for identifying risks could include checklists,

questionnaires, standard templates and facilitated workshops. The estimation of the

impact and probability of the risk event is, however, usually left to the judgment and

experience of the business unit manager. Sometimes loss data of external or internal

events could provide management with examples of the impact of similar events. In a

diverse organization, questionnaires tend to be less useful as question they contain may

not be very business specific. However, where an institution is involved in a similar

business at a number of sites, for example, the branch network in a retail bank, a more

detailed questionnaire may be suitable because of the homogenous nature of these

business units.


Components of Operational Risk

Management System

Risk Policy & Strategy

Risk Identification

Risk Assessment

Risk Management & Monitoring

Risk & Loss Event Reporting

Operational Risk Management System

Culture of Organization Awareness of Employees

Governance Business Strategy

Conceptual Framework


Key

Independent Variable

Moderating Variable

Dependent Variable

OPERATIONAL RISK MANAGEMENT FRAMEWORK

GO

VE

RN

AN

CE

AN

D O

RG

AN

IZA

TIO

N

OP

ER

AT

ION

AL

RIS

K P

OL

ICY

, ST

RA

TE

GY

&

PR

OC

ED

UR

ES

CHAPTER FOUR: PRESENTATION ANALYSIS

Operational Risk Management Framework

The operational risk management framework at Soneri bank comprises of the following

key elements;

a. Governance structure for operational risk management

b. Roles and responsibilities of BOD, Risk Management Committee, Senior Man-

agement, Head of Risk Management, Operational Risk Management Department

and other related personnel or functions.

c. Operational risk management strategies and processes for risk identification, as-

sessment, monitoring, reporting and measurement.

Figure 1: Chart drawn from the information provided during the interview.


Risk Policy & Strategy

Risk Identification

Risk AssessmentRisk Management & Monitoring

Risk & Loss Event Reporting

C

U

L

T

U

R

E

A

N

D

A

W

A

R

E

N

E

The Operational Risk Management Division (ORMD) is responsible for:

a. Risk Identification and Assessment

b. Risk Management and Monitoring

c. Risk & Loss Event Reporting

d. Risk Policy & Strategy

I. Risk Identification and Assessment

The ORMD is responsible for:

Conducing risk and control assessment of each process.

Assisting business and support units in identifying and assessing and monitoring

operational risk.

Establishing Bank-wide risk bands in order to assess the likelihood of occurrence

and financial impact of each inherent risk identified in the process of RCSA exer-

cise.

Conducting RCSA workshops with the process owners or RCSA Coordinators for

identifying key risks, their related controls, key risk indicators, severity and likeli-

hood, thresholds and responsibilities.

Accumulating critical risks and key risk exposures identified by RCSA Coordina-

tors and communicating the same to the HRM and the RMC.

Evaluating new product proposals with respect to operational risks and adequacy

of mitigating controls.

II. Risk Monitoring

Act as an ORM help desk for facilitating the Risk and Control Self Assessment

(RCSA) process and resolving RCSA related queries.

Coordinating with business and support units and developing the operational risk

tolerance levels for each of the key risks identified.

Monitoring Key Risk Indicators throughout the Bank.


C

U

L

T

U

R

E

A

N

D

A

W

A

R

E

N

E

III. Risk and Loss Event Reporting

Reviewing loss event reports submitted by various business and support units of

the Bank and accumulating the same in the loss event database.

Implementation of a reporting mechanism by generating reports from the loss

event database in a timely manner, for monitoring critical risk issues and escalat-

ing the same to the senior management.

Developing operational risk measurement methodologies, which reasonably esti-

mate unexpected losses.

Developing operational risk database and data management capabilities to support

the ORM framework, such as a centralized loss event database (including external

operational loss events), comprising of a set of risk metrics.

IV. Other

Formulating ORM strategy, policies and procedures and other key elements of the

ORM framework, for review and approval by the RMC / BOD.

Creating a risk management culture throughout the Bank, which includes provid-

ing awareness of the significance of ORM and internal controls, generally ac-

cepted risk management practices, the Bank’s internal policies and procedures

and the changes in the risk management systems?

Reviewing outsourcing arrangements proposed by business and support units.

Providing recommendations to the RMC regarding the appropriate resources and

technology to be obtained for implementing the ORM framework.

Liaison with the State Bank of Pakistan for operational risk matters.

Policy and Strategy for Operational Risk Management

Operational Risk policy and strategy has been built around the overall risk strategy of the

Bank and reflects the Bank’s appetite for risk and its understanding of the specific

characteristics of operational risk.

By implementing a Bank-wide ORM framework, the Bank aims to protect the interest of

the stakeholders as follows:


a. Providing depositors with greater reliability.

b. Providing quality services to customers and to increase their confidence in doing

business with the Bank.

c. Providing employees with the best possible working environment to improve their

morale and efficiency, and

d. Improving the overall financial image and reputation in front of the government

and regulators.

ORM Overall Strategy

In order to achieve the above objective, the strategy adopted by the Bank is to minimize

operational risk losses and articulate risk appetite and thresholds. In this regard, the Bank

has developed the strategy for identification, mitigating, assessment, monitoring,

reporting and measurement of operational risk. The ORMD, along with the support of the

RMC and senior management from business and support unit, ensures that adequate

strategies are implemented to achieve the operational objectives of the Bank.

In order to achieve its ORM strategy, the Bank aims to implement an effective, consistent

and comprehensive ORM framework and approach, for monitoring and communicating

risks, supported by a suite of principles, policies and controls, including a code of con-

duct, authority guidelines, business process standards, policies regarding major risk cate-

gories, systems and processing controls, and an approval process for new products.

V. Strategy for Operational Risk Identification and Assessment

The ORMD uses risks and controls self assessment (RCSA) as a tool to categorize and

compute the operational risk inbuilt in all activities, procedures and structures. RCSA

exercise conducted within each key business and support unit in the Bank mainly through

meetings/workshops with the senior management. The key business and support units are

identified using the following parameters:

a. The Bank’s operational and reporting structure.

b. Qualitative and quantitative materiality, and

c. Discussion with the HRM and the senior management of the Bank.


The output of the exercise results in a RCSA matrix for each business and support unit

mainly comprising the following:

a. Names of the key processes and their respective activities.

b. Inventory of key operational risks and key operational controls.

c. Inherent and residual risk assessment of each risk.

d. Description of key risk indicators.

The head of respective business and support unit is responsible for identification of key

inherent risks mainly arising from the following factors as defined by Basel II:

a. People risk;

b. Process risk;

c. System risk; and

d. External events

For the purpose of this exercise each unit in the Bank nominates a senior management

person from the unit as RCSA coordinators.

The scope and time horizon for ORM is very wide, which makes it important to prioritize

key risks causing the greatest exposure. Best practices increasingly require risk to be

measured in quantitative terms. Hence, each identified key operational risk is assessed for

the severity and likelihood of its occurrence and then mapped to the Loss Event Types,

specified by the Basel II. The effectiveness of the controls associated to these risks is

assessed from both an inherent and residual risk perspective.

The RMC approves the Bank-wide operational risk impact and likelihood table based on

the recommendation of the HRM.


The risk impact table comprises the scores from 1 to 5 defined as:

Table 2.1: Risk Impact Table

Each of the above scores is defined as operational loss range bands in terms of Pakistani

Rupees in millions.

Similarly the risk likelihood table comprises the scores from 1 to 5 defined as:

Table 2.2: Risk Likelihood Table

Each of the above scores is defined in terms of time ranges such as almost monthly or

once in a year.

The risk assessment tables for risk impact and likelihood are reviewed on a periodic basis

and revised by the ORMD after getting the input from the senior management. Any

revisions to the risk assessment tables are referred to the RMC for approval.

During the workshop, ORMD obtains the input from RCSA coordinator and the senior

management team participating in the workshop regarding key risk indicators (KRIs) to

be formulated for key operational risks and acceptable threshold for the same. KRI is a

combined measure of a Key Performance Indicator (KPI) and Key Control Indicator


(KCI) that are used to link the residual impact of the risk with likelihood of the risk

occurring. In other words, a KRI shows the extent of stress that a core process is facing.

KRIs are linked directly to risks and at the time of developing KRIs the focus will be

given to the controls and the information system available with the Bank for reporting

such KRIs.

In addition to the qualitative requirements of KRIs data, it is important for KRIs to have

an element of measurability and their thresholds are monitored at the specified periods

stated in the KRI.

The KRIs and the thresholds set for KRIs are visited by the senior management and

ORMD on an annual basis or whenever required and changes are made due to

improvement in the controls, change in risk appetite and availability of better IT systems

for KRI reporting.

The RCSA coordinator annually or as and when required undertake RCSA exercise

initiated by the ORMD to ensure that any changes to the unit’s operational / business

objectives, key operational risks and controls, inherent and residual risk assessment and

key risk indicators are being captured. The results of the RCSA exercise is validated by

Audit Division and forwarded to the ORMD for review. Further RCSAs are reviewed by

the Manager ORMD and is approved, signed off by the Head of the respective business

and support units.

VI. Strategy for Operational Risk Monitoring and Mitigation

Business and support units are responsible for monitoring and mitigating operational

risks and correcting related internal controls in a timely manner.

Senior management of the business is responsible for ensuring that they have in place,

policies and procedures to control, monitor and mitigate operational risks. These policies

and procedures are supported by a strong control culture.


Operational Risk Monitoring

For the purpose of effective risk monitoring the ORMD recommends a risk

appetite/tolerance table. It expresses in terms of impact, through an appropriate limit

structure and control processes to enforce these limits.

Operational risk appetite/tolerance level for the Bank is determined and recommended by

the HRM after getting the input of the senior management of the Bank, and gets it

endorsed by the RMC, and then approved by the BOD. Operational risk tolerance level is

documented and communicated via a separate BOD approved policy.

RMD considers the following factors while determining the Bank-wide operational risk

tolerance level:

a. Risk and Control Self Assessment Exercise,

b. Beta (β), set by the Basel Committee for Banking Supervision for eight business

lines under The Standardized Approach of Basel II,

c. Operational loss data of the Bank; and

d. Operational loss data collection exercise conducted by BIS.

Risk appetite table is reviewed and amended, if required on an annual basis. The senior

management of the business and support units then develop the strategies for controllable

risks and the risks which cannot be controlled. Such strategies include implementation of

additional controls or outsourcing of risk through insurance. Further the KRIs is

developed during the RCSA exercise and its trends over a period of time.

Operational Risk Mitigation

As per the Basel Committee ORM Guidelines, a bank must have policies and procedure

to control and mitigate the operational risks which are arising from the following factors:

a. People risk

b. Process risk

c. System risk, and

d. External events.

Operations manual includes policies and procedures for the concerned business and a

support unit comprises of the key operational controls to mitigate the key operational


risks from the process/function. These policies and procedures are reviewed by the

ORMD on a periodic basis to ensure all key operational controls have been documented.

Further, any proposed mitigation plans for key risks are reviewed by the Manager

ORMD, the HRM, the Head of Audit and the Head of Compliance before escalation to

the senior management and incorporating the same in the operations manual of the

concerned business and support unit. Implementation of the existing and proposed

policies and procedures are monitored by the operations group along with audit and

compliance divisions.

VII. Strategy for Operational Risk Reporting and Measurement

The ORMD works with management of business and support units to prioritize risk

mitigation strategies. For this purpose the RCSA coordinators and the senior management

will report the following to ORMD:

a. Information relating to operational losses,

b. Deviations of actual KRIs from their acceptable thresholds,

c. Change in the residual risk profile due to change in the controls structure.

The reporting of operational loss events and KRIs deviations is done by the management

to ORMD.

All the operational loss data and near misses are reported to ORMD on a monthly ba-

sis. Further KRI monitoring reports and any breaches are reported on quarterly basis

by the respective business and support units’ RCSA Coordinators.

Based on the reporting from the business and support units, the ORMD establishes

an operational loss events database.

Data is captured and reported as and when operational risk events occur and are clas-

sified in accordance with the Basel II risk categorization framework.

The operational loss event database is used by ORMD in producing operational loss

and KRIs reports.

The operational loss events with critical or high impact and likelihood levels as per the

Bank-wide risk impact and likelihood table will be escalated immediately by the ORMD


to the senior management of the respective business or support unit and the RMC for the

required action. The senior management of the concerned department is responsible for

taking the required remedial action/meeting.

These reports are consolidated and distributed by the ORMD to appropriate levels of

management dealing with the areas which may suffer potential operational impact. In

particular, the RMC needs to be made aware of all significant risk loss incidents or limit

excesses, as well as any follow up actions that has been taken.

Risk and Control Self Assessment (RCSA)

The RCSA is a structured process designed to enable the identification, self assessment,

evaluation, and monitoring of key operational risks and controls. The process shall also

result in:

a. Business/Support units assuming ownership of their respective key operational

risks and mitigating them through key operational controls on a regular basis.

b. Monitoring of key operational risks through KRIs and related KRI thresholds

c. Implementing controls and mitigating the risks to the acceptable levels, ensuring

that product/service delivery is handled as per policy guidelines and customer re-

lationships are maintained adequately

Purpose of RCSA

The purpose of RCSA is to:

a. Make most efficient use of resources.

b. Working with business owners to diagnose Business process and embedded risks.

c. Ensure application and compliance with policies, procedure, laws and regulations.

d. Enhance safety standards by assessing controls and their effectiveness.


Activ

ity

Sub

Activ

ity

Risk

ID

Base

l II

Clas

sific

ation

Inhe

rent

Ris

k

Inhe

rent

Ris

k

Cont

rol I

D

Mitigating Controls

Resi

dual

Ris

k As

sess

men

t

Key

Risk

In

dica

tors

(K

RI)

Sum

mar

y of

Re

spon

sibi

litie

s

Loss

Eve

nt T

ype

1Lo

ss E

vent

Typ

e 2

Risk

Des

crip

tion

(Los

s Ev

ent

Type

3)

Impa

ct

Control Description

Impa

ct

Like

lihoo

d

Expe

cted

Los

s

Des

crip

tion

Thre

shol

d

Proc

ess

/ Ri

sk

Ow

ner

Cont

rol O

wne

r

Acco

unt O

peni

ng

Ente

ring

cust

omer

info

rmati

on in

the

syst

em

1

Exec

ution

, Del

iver

y &

pro

cess

man

agem

ent

Tran

sacti

on c

aptu

re,

exe

cutio

n &

mai

nten

ance

Customer account master

file information

may be

incorrectly entered in the system

3

1.1

An independent person review

the input of customer account

master file information into the

system for accuracy by matching

it with account opening forms 1 5 5

Num

ber o

f au

dit o

bjec

tions

0%

Acco

unt O

peni

ng O

ffice

r

BM/B

OM

1.2All accounts opened are

supervised by the branch manager.

Table 2.3: Activity Based Risk and Control Self Assessment (RCSA) at Soneri Bank


Likelihood Grid

Likelihood Grid shows the score for the frequency of a risk. The score for scale is 1 to 5.

Score 5 means that an event occurs every month while the score 1 means the event might

occurs within 20 years.

Table 2.4: Likelihood Grid


Impact Grid

Impact Grid of Soneri Bank indicates the score from 1 to 5, showing Ratings and Losses

that is being occurred according to the table given below:

Table 2.5: Soneri bank’s Impact Grid


Heat Map

Heat map shows the relationship between Impact and Likelihood. All the risk events of

each department is mapped on the heat map so that it become easier to analyze how many

events are in low risk category and how many are in middle and high risk category.

Table 2.6: Soneri Bank’s Heat Map


Analysis of Data from Survey

1) In what categories does Soneri Bank categorize the operational risk? (Please

select all that apply)

The categories in which most of the personal in Soneri bank places operational risk

are external events that cause damage to physical assets, unauthorized activities by

external parties followed by other categories which can be viewed in the following

graph.

External events that cause damage the physical assets

Unauthorized activities by external parties

Employment practices and workplace safety

Intentional misconduct (internal fraud)

Client, Product and business practices

Business disruption and system failures

Business process risks

Outsourcing

Other

Don’t know

100%

100%

96%

96%

96%

96%

92%

80%

8%

0%


2) To what extent SONERI BANK applied technology in its operational risk

management program? (Please select all that apply)

Technology is being used for the automation of risk reporting

Technology is being used for the automation of risk monitoring

Technology is being used for the automation of risk identification

Technology is being considered

None, no consideration has been given

Don’t know

64%

96%

88%

12%

0%

4%

3) What is operational risk reporting used for? (Please select all that apply)

Operational risk reporting is extremely important as it is used in the day to day

management of Soneri Bank operations.

Day to day management

Compliance

Financial reporting

Strategic decision making

External communication

Other

88%

12%

8%

12%

0%

0%


4) What measures has SONERI BANK taken to reduce potential redundancies

in completing operational risk assessment (e.g. internal audit, risk manage-

ment, compliance)? (Please select all that apply)

Risk assessment and risk functions have been mostly consolidated in order to reduce

potential redundancies which might exist in operational risk assessment

Consolidated risk assessment activities

Consolidated risk assessment functions

Established template with common assessment questions

One governance or oversight function

Other

None

Don’t know

0% 20% 40% 60% 80% 100% 120%

96%

88%

80%

0%

4%

0%

4%

5) Does operational risk management system capture the interrelation between

the various risks identified? (Please select all that apply)

Mostly the interrelation of operational risk with other risk is captured in a quantitative

way by the operational risk management system.


Yes, in a descriptive way

Yes, in a quantitative way (e.g. correlations)

Yes, other

No

Don’t know

36%

72%

0%

4%

0%

6) At what time intervals is the operational risk assessment reviewed? (Please


The operational risk assessment is reviewed once yearly.

7) What information is collected as part of the operational risk assessment?

(Please select all that apply)

Risk description

Risk owner

Control description

Impact

Frequency

Risk ranking

Action plan if risk appetite/limit is breached

Key risk indicators

Risk appetite/Limit

Other

Don’t know

0% 20% 40% 60% 80% 100% 120%

96%

96%

92%

92%

92%

92%

92%

96%

96%

16%

4%


8) How is the operational risk function organized? (Please select all that apply)

Most of the risk management of operational risk is conducted centrally.

Embedded in the lines of business

Centralized

Both

Other

4%

88%

8%

0%

9) Please rate the following statements on their level of significance to SONERI

BANK operational risk program. (1= Not significant, 5= very significant, and

6=Don’t know)


Communication with other departments

Risk Control self assessment

Loss event management

Strategies risk assessment

Key risk assessment

Scenario analysis/stress testing

4%

4%

4%

0%

0%

0%

0%

4%

4%

16%

4%

8%

8%

0%

0%

8%

4%

16%

4%

24%

24%

28%

28%

20%

84%

68%

68%

48%

64%

56%

54321

CHAPTER FIVE: SUMMARY OF FINDINGS,

CONCLUSION & RECOMMENDATION

Findings

I. Interview


We interviewed Mr. Nadeem Ahmed Khan, Manager Operational Risk, Risk

Management Division Soneri Bank. He gave us valuable information regarding

operational risk management framework at Soneri Bank. He also helped us to develop the

questionnaire. He explained the basic structure for the operational risk management. The

under stated chart is the Soneri Bank fundamental structure to follow the ORM:

Figure 2: Soneri Bank fundamental structure to follow ORM

II. Survey Results

On the bases of our assessment it can be concluded that Soneri Bank is progressively

recognizing the vitality of a well engineered ORMF in order to work through diverse

economic settings and achieving their business goals, which in a broader perspective is

completely factual. As financial breakdown has magnified the regulatory inspections,

likelihood of greater reputation risk and loss of Soneri Bank self assurance. This

consequences draw attention for vigorous approaches, in both quantitative and qualitative


terms for handling the core risks. Integrating technology, people and processes into risk

mitigating actions will help in balancing compliance actions along with strategic

opportunities.

However, in order for organization to engage in growth process, much effort is needed in

order to put up the ORMF. Whether working on upgrading “tone at the top”, empowering

business decisions or reengineering modeling and technological capabilities.

Conclusion

As most of the organizations consider ORM as chain of independent tasks, which

includes specifying control glitches, accumulating loss data or evaluating capital figures

and action plans formation.

Many firms have endowed huge sums of money over time in implementation of these

silo-based strategies but were unable to accomplish their targets. After which, many have

wrongly concluded that ORM is an unimportant compliance exercise.

Though, Operational Risk Management should not be considered as a disjointed tasks

process. As an alternative, it should be viewed as a planned course for formulating up to

date risk management conclusions, in which control information and significant risk is

included in a widespread structure. This approach is termed as modern ORM. Modern

Operational Risk Management executes actuarial science as its basis: a technique for

calculating unexpected loss (risk) and expected loss (cost) and, which can be exercised to

optimize risk-reward and risk-control in the framework of cost-benefit analysis.

In a modern ORM scenario, senior management evaluates operational risk not as a

postscript, but as a vital module for business administration, strategic planning, and

enterprise risk managing processes. Most of the firms by now have acknowledged the

advantages of modern ORM, and it could guide the way in setting a new standards for

business practices.

Soneri Bank’s ORMF is well engineered and used proficiently to resolve various issues

either by the predefined controls or by their own identified controls. It is not required to

advise them to make the modifications in accordance with the ideal ORMF. But, in


conformity to their peculiar classification of framework, processes and interface, the

functioning of their ORM structure is adequate and certainly is effectual in controlling

numerous different risks but evidently there are so many arenas where the development

can be further pursued. It was determined that the effect of the risk concentration was a

problem which had been identified by the people rather than that of the system which

indicates that the result may lead towards the inconsistency as impact scale can lie in

between 1 - 5 and can be distinct because different people have different perception.

Among other proposals presented to the ORM one was the incorporation of some

composite algorithms by means of numerous calculations in sequence so that the system

would be able to signify the risk impact’s strength itself.

Recommendation

To conclude this study, we propose the following recommendations to enhance the

establishment of a structured approach to operational risk management in a Soneri Bank:

The framework for a structured approach should be used by Soneri Bank to en-

hance the development of their operational risk processes.

As the concept of operational risk management is not yet fully established in

Soneri Bank, it is important to develop and implement a formal training program

for operational risk management. This will enhance the awareness of operational

risk in the bank and stimulate the interest in its management.

APPENDIX

Questionnaire

Thank you for taking the time to complete this survey. Your feedback is important to us

in suggesting ways to improve Operation Risk Management in Soneri Bank.This survey

should only take about 3 to 4 minutes of your time. Your answers will be completely

anonymous.

1) In what categories does SBL categorize the operational risk? (Please select all that

apply)

a. External events that cause damage the physical assets


b. Unauthorized activities by external parties

c. Employment practices and workplace safety

d. Intentional misconduct (internal fraud)

e. Client, product and business practices

f. Business disruption and system failures

g. Business process risks

h. Outsourcing

i. Other

j. Don’t know

2) To what extent SBL applied technology in its operational risk management pro-

gram? (Please select all that apply)

a. Technology is being used for the automation of risk reporting

b. Technology is being used for the automation of risk monitoring

c. Technology is being used for the automation of risk identification

d. Technology is being considered

e. None, no consideration has been given

f. Don’t know

3) What is operational risk reporting used for? (Please select all that apply)

a. Day to day management

b. Compliance

c. Financial reporting

d. Strategic decision making

e. External communication

f. Other

g. Don’t know

4) What measures has SBL taken to reduce potential redundancies in completing op-

erational risk assessment (e.g. internal audit, risk management, compliance)?

(Please select all that apply)

a. Consolidated risk assessment activities


b. Consolidated risk assessment functions

c. Established template with common assessment questions

d. One governance or oversight function

e. Other

f. None

g. Don’t know

5) Does operational risk management system capture the interrelation between the

various risks identified? (Please select all that apply)

a. Yes, in a descriptive way

b. Yes, in a quantitative way (e.g. correlations)

c. Yes, other

d. No

e. Don’t know

6) At what time intervals is the operational risk assessment reviewed? (Please select

all that apply)

a. Ad hoc

b. Monthly

c. Quarterly

d. Yearly

e. With bank’s reporting cycle

f. Other

g. Don’t know

7) What information is collected as part of the operational risk assessment? (Please


a. Risk description

b. Risk owner


c. Control description

d. Impact

e. Frequency

f. Risk ranking

g. Action plan if risk appetite/limit is breached

h. Key risk indicators

i. Risk appetite/Limit

j. Other

k. Don’t know

8) How is the operational risk function organized? (Please select all that apply)

a. Embedded in the lines of business

b. Centralized

c. Both

d. Other

9) Please rate the following statements on their level of significance to SBL opera-

tional risk program. (1= Not significant, 5= very significant, and 6=Don’t know)

Scale

1. Communication with other departments 1 2 3 4 5 6

2. Risk Control self-assessment 1 2 3 4 5 6

3. Loss event management 1 2 3 4 5 6

4. Strategies risk assessment 1 2 3 4 5 6

5. Key risk assessment 1 2 3 4 5 6

6. Scenario analysis/stress testing 1 2 3 4 5 6

Thank you so much for your time.


References

Authority, F. S., 1999. A paper by FDA Informal Working Party on Allocating Regula-tory Capital for Operational Risk. s.l.:s.n.

Cooper, P., 1999. Operational Risk - The Next Frontier. USA: British Bankers Associa-tion, s.l.: s.n.

Crouchy, M. &. M. R., 2000. Operational Risk, in The Professional's Handbook of Fi-nancial Risk Management. s.l.:Oxford: Butterworth Heinemann.

Davies, J. F. M. L. S., 1998. Defining and Aggregating Operational Risk Information in Operational Risk and Financial Institution. London: Risk Books.

Davies, J. F. M. L. S., 1998. defining and Aggregating Operational Risk Information in Operational Risk And Financial Institution.. London: Risk Books.

Donahoe, T., 1999. Role Playing. Some operational risk groups are struggling to make their remit clear: Operational Risk Special Report, s.l.: s.n.

Hoffman, D., 1998. New Trends in Operational Risk Measurement and Management in Operational Risk and Financial Institutions. London: Risk Books.

Katz, I., 1995. Financial Risk Manager. London: Euromoney Books.


Kingsley, S., 1998. Operational Risk and Financial Institutions: Getting Started in Oper-ational Risk and Financial Instituions. London: Risk Books.

Laycock, M., 1998. Analysing of Mishhandling Losses and Processing Errors in Applica-tions of Operational Risk and Financial Institutions. London: Risk Books.

Mayland, P., 1993. Operational Credit Risk Assessing and Controlling Credit Risk in Bank Operating Services. USA: Probus Publishing.

Rachlin, C., 1998. Operational Risk in Retail Banking: Promoting and Embedding Risk Awareness across Diverse Banking Groups in Operational Risk and Financial Institu-tions. London: Risk Books.

Remenyi, D. &. H. A., 1996. Business Process re-engineering: Some aspects of how to evaluate and manage the risk exposure.. s.l.:International Journal of Project Manage-ment.

Supervision, B. C. o. B., 1998. Operational Risk Management. s.l.:s.n.

Williams, D., 2000. The Risk Factors of E-Commerce (Industry Trend or Event) , s.l.: Meridien Research Report.

Wilson, D., 2000. Operational Risk in The Professional's Handbook of Financial Risk Management.. s.l.:s.n.


Operational Risk Management Framework in Soneri Bank

Business

Transcript of Operational Risk Management Framework in Soneri Bank