Risk ManagementUniversity of Economics, Kraków, 2012

Tomasz Aleksandrowicz

operational risk management

operational risktools & techniques

ORM in banking

operational risk

• risk due to organisation operations• arising from execution of a company's business

functions• operational risk is the risk of loss resulting from

inadequate or failed internal processes, people and systems, or from external events (Basel II)

• it is not used to generate profit• to keep losses within limit (driven by risk appetite)

operational risk management

• there is no one size fits all approach• operational risk is much harder to identify than

market and credit risk

operational risk categories

• broad concept focuses on people, processes and systems and external factors

• more detailed approach under Basel II regulations:– Internal Fraud– External Fraud– Employment Practices and Workplace Safety– Clients, Products, & Business Practice– Damage to Physical Assets– Business Disruption & Systems Failures– Execution, Delivery, & Process Management

operational risk categories (II)

• people - due to human error, loss of personnel and health and safety issues

• process - due to business performance processes or projects as well as capacity and reporting matters

• systems/technology - due to technical issues of systems, computers and equipment as well as data quality and security

• external events - due to external factors, regulatory environment and natural hazards

ORM exercise

choose your companylist 2-3 risks with 4 categories: people, process,

systems/technology, external events

people risk

• Employee collusion/fraud• Employee error• Employee misdeed /crime• Employment law• Health and safety at work• Insufficient or lack of knowledge/skills• Loss of key personnel (key personel risk)

process risk

• Accounting error• Capacity risk• Contract risk• Product complexity/ product flaws• Project risk• Reporting error• Settlement/payment error• Transaction error• Valuation error

technology risk

• Data quality• Programming errors• Security breach• Strategic risks complexity (platform/suppliers)• System capacity• System compatibility• System delivery• System failure• System suitability

external risk

• Legal / Regulatory• Money laundering• Outsourcing• Political• Supplier/Partner risk• Tax• Fire/Natural disaster• Theft/Robbery• Physical security (terrorism, vandalism)

ORM exercise 2

propose a solution for most common risks in each category

ORM tools & techniques

• internal controls & audit• training & procedures• key risk indicators (KRI)• strategic diversification/outsourceing• insurance• hazard prevention - emergency management• business continuity planning (BCP)

KRI - Key Risk Indicators

• metrics used to monitor identified risk exposures over time

• measure used in management to indicate how risky an activity is

• differs from a Key Performance Indicator (KPI) which is measure of how well something is being done

• give us an early warning to identify potential risky event

KRI management

• effective indicator selection: relevance, measurable, predictive

• selection process approach: top-down or bottom-up• using composite or index indicators• indicator threshold and limits, escalation triggers• indicator trending and scale (green, amber, red)• reporting: level of reporting, frequency and

presentation style

KRI examples

• customer complaints volume• product return ratio• volume/value of products breakage• number of caught shoplifter / value of loss due to customer

theft• staff turnover• staff sickness days• number of over-time hours utilized• number of data capture errors• number of virus or phishing attacks• number of server restart requested

ORM exercise 3

propose KRI for most common risks in each category

BCP - business continuity planning

• is a roadmap for continuing operations under extreme conditions

• effective prevention and recovery for the organization

• active preparation and planning for emergencies– critical (urgent) organization functions/ activities – non-critical (non-urgent) organization functions/ activities

BCP life-cycle

operational risk management industry example: banking

three approaches to ORM

#1 Basic Indicator Approach

• simplest operational risk measurement method• banks has to hold capital reserves for operational loss• average income gross income from previous 3 years

times given percentage (alpha)• years with negative or zero income excluded• committee alpha percentage – 15% (represents

industry average operational risk)

21

#2 Standardized Approach

• more complex method of operational risk measurement

• banks has to hold capital reserves for operational loss• three-year average across each of the business lines

in each year times given percentage (beta)

22

Standardized Approach – beta factor

23

#3 Advanced Measurement Approach

• comprehensive method based on bank’s internal operational risk measurement system

• quantitative and qualitative criteria• subject of regulatory approval• minimum five-year observation period of internal

loss data• external data could be used

24

Advanced Measurement Approach (II)

• bank must be able to demonstrate that its approach captures even unlikely events

• high-severity events must be subject of scenario analysis and use external data and expert advisory