The ORM Framework_v2

8/7/2019 The ORM Framework_v2

1/23

Operational Risk Management (ORM) Framework

Losses arising from operational lapses can have a devastating impact on the operations of the Company, and affect

its bottom line and relationship with stakeholders. It is, therefore, vital for Company to have in place an effectiveand suitable operational risk management framework to help it approach the operational risks inherent in its business

and ensure sound activities.

The ORM Framework will help:

- provide a common definition and understanding of operations risks across the Company;

- provide an ORM organizational structure that will clarify risk management roles and responsibilities;

- determine the Companys operational risk profile in comparison to its risk appetite, and

consequently put in place risk-mitigating control measures;

- identify, assess, monitor and control/mitigate operational risks on a regular basis, at all levels of the

organization, in all activities it undertakes, including but not limited to existing and newly-developed products,

business processes or procedures, and information and communication technology systems;

- develop and maintain a risk-smart leadership, workforce and environment.

Successful implementation of this ORM Framework depends heavily on individual responsibility and collective

oversight. It is hoped that successful implementation of the ORM Framework will lead to reductions in operationallosses, errors and incidents, as the Company will be more able and faster in identifying and addressing potential

problems.

The COMPANY ORM Framework shall have five (5) Basic Elements:

Element 1: Understanding Risk: provides a common understanding of operations risk which is essential in

ensuring coordinated efforts towards management of risks.

Element 2: Establishing Risk Management Function and Responsibilities: provides a discussion on the

corporate structure that will support the Operational Risk Management Framework. It outlines the roles andresponsibilities of the members of the organization as far as risk management is concerned.

Element 3: Developing the Corporate Risk Profile: provides a discussion on the processes, tools and techniques

that will help the Company identify and respond to its risk profile and risk appetite.

Element 4: Institutionalizing the Risk Management Process: provides a discussion on the risk management

process that will help the Company identify, assess, monitor, mitigate/control operations risks, and on how to

integrate such process into practices at all levels of the organization, in all activities it undertakes.

Element 5: Maintaining a Risk- Smart Leadership, Structure and Culture: provides a discussion on how theCompany can develop a risk-smart leadership, structure and culture.

1


2/23

Element 1: Understanding Risk

The Company as an institution must identify and understand the operational risks that it faces so that it may be

able to act on them appropriately. But it must start with understanding what operational risks are all about. All the

members of the organization must use a common language in order to have a uniform and coordinated approach on

risk management.

For the purpose of this paper, risk, in general, is defined as the possibility of loss, damage, or any other undesirableevent. It is inherent to the industry, in all of the Companys activities, but can be avoided, mitigated, minimized or

contained within acceptable levels, transferred, and can even lead to innovation and opportunity, provided that it is

managed properly.

Operational risk, on the other hand, is one of the three major risks faced by the Company, the other two being

credit and market risks. The Basel Committee on Supervision defines it as the risk of loss resulting from inadequate

or failed internal processes, people and systems, or from external events. This definition includes legal and

regulatory risk, but excludes business and reputational risk.

To be more specific, the Company defines operational risk as the potential loss arising from:

- process execution failure or errors, due to absence or inadequacy of, non-compliance with, or disregard

or ignorance of policies and procedures or contracts;- internal and external fraud or rogue practices, due mainly to the breakdown in, or inadequacy of

internal control or corporate governance;

- a major failure of computer systems, which delayed, or affected the accuracy, completeness, and/or

validity of transactions;

- natural and man-made disasters which denied the people an access to, or damaged the Companys

assets such as buildings and computers, and affected the capability of the Company to resume normaloperations.

- legal liabilities due to employment practices, workplace safety, or changes in the regulatory

environment;

Note: Potential loss may be in the form of financial loss or other non-financial damages, such as loss of

reputation and public confidence that will impact the Companys credibility and ability to transact, maintain

liquidity and obtain new business.

To better explain the above definitions, and clearly exclude non-operational risks, the following boundary rules shallbe followed:

What are included in the definition of Operational Risk

Legal and Regulatory Risks

Legal and regulatory risk is the risk of loss resulting from exposure to impacts such as fines, penalties, or punitive

damages from supervisory actions, or to judgments or private settlements. Examples are as follows:

Court litigation or arbitration costs or damages

Costs and fees resulting from litigation even if the same is dismissed or withdrawn

Losses or costs involved where the Company itself is the victim and is seeking recovery through litigation Losses due to retroactive implementation of laws or regulations

What are excluded from the definition of Operational Risk

Strategic & Business Risk

Strategic and Business Risks are the risk of losses arising from flawed strategic or discretionary processes, and are

usually associated with senior management decision making, such as decisions on the following:

2


3/23

Investment in new products, processes or systems

Merger and acquisition

Re-Engineering / Organizational Restructuring

Opening up of new business centers or rationalization of business center locations

Redundancy programs

However, risk events that happen during the implementation of the above-mentioned projects (e.g., illegaltermination of employment during redundancy programs, late payment of obligations to contractors, etc.) are

considered as operational risks.

Credit Risk

Credit risk is the risk of loss due to counter-party default.

However, where the principal driver of the loss is attributable to operational failures (i.e. lapses in implementing the

procedures for carrying out a credit transaction), then such must be considered as operational risk. Examples are as

follows:

Erroneous or defective credit rating or scoring or evaluation system that resulted in the approval of transactions

from non-creditworthy clients

Failure to insure a collateral, or failure to monitor adequacy of collateral or appraise or update the value of thecollateral and make a collateral call

Failure to seek approval for a credit transaction, or wrong approval authority that led to inadequate review of

the transaction and eventually resulted in a loss

Processing errors that prevented discovery of defaulting loan obligations

Booking errors that reduced the value of obligation of borrowing client

Legally defective or unenforceable or missing or incomplete loan documents, due to improper review and

safekeeping of such documents.

Market Risk

Market risk is defined as the risk of loss due to market prices changes on outstanding positions, due to discretionary

market judgements.

However, where the principal driver of the loss is attributable to operational failures (i.e. lapses in implementing the

procedures for carrying out a trading transaction), then such must be considered as operational risk. Examples are as

follows:

Processing errors, such as when a different currency is used or inputted in the computer system that diminished

the value of the transaction

Accounting errors that led to erroneous marking-to-market of transactions

Failure to properly execute a stop loss

Failure to observe transaction limits

Erroneous market valuation models that led to wrong investment decisions

Failure to secure proper approval for transactions in excess of limits

Incomplete documentation

Unauthorized trading

Reputational Risk

Reputational risk is the risk of loss resulting from damage to the companys reputation. Although, operational risks

may sometimes lead to a damage to a company's reputation, the losses attributable to such reputational damage shall

not be considered as operational in nature. Nevertheless, proper management of operational risk is tantamount to

protecting the Companys reputation.

3


4/23

And while operational risk is regarded as a discipline distinct from credit and market risks, its management should

be seen as a support towards building a robust credit risk or market risk infrastructure. Having the proper controls,

processes and systems, which is partly what operational risk management is all about, create an environment that

support credit and market risk - taking activities.

4


5/23

Element 2: Establishing Risk Management Function and Responsibilities

Risk management can be defined as the culture, processes, and structures that are directed towards the effective

management of risks. However, risk management can only be achieved at all levels of the Company, and in all

activities it undertakes if there is an organizational structure that will support the full implementation of established

risk management policies and procedures.

In the case of COMPANY, management of risk is the responsibility of everyone. Such responsibility resides at allmembers of the organization, at all levels and in all offices of the Company. Each individual, regardless of rank,

position and nature of work, is a risk manager, and shall be held accountable for managing risks in his or her area of

responsibility.

The basic foundation of the COMPANY Operational Risk Management framework is the clear definition of the

roles and responsibilities of all the members of the organization with regard to risk management. In this regard, a

robust risk management structure shall be in place in the Company to ensure adequate oversight and

implementation of the ORM Framework. The principal responsible offices are as follows:

- Board of Directors

- Senior Management Committee

- Operations Risk Unit of the Risk Management Group

-Line Management

- Internal Audit Division

To wit, the organizational structure shall work as follows: the ORM Framework and risk management policies and

structures, including basic control policies, shall be:

1. formulated or designed and continuously improved by RISK MANAGEMENT GROUP;2. approved and mandated for implementation by the Board;

3. implementation thereof strictly monitored by Senior Management;

4. implemented by line management; and

5. regularly reviewed for adequacy and effectiveness by the Internal Audit.

Board of Directors and Senior Management

The Board of Directors and the Senior Management of the Company shall be actively involved in the oversight ofthe operational risk management framework.

Board of Directors

The Board of Directors shall be responsible for the following:

Review and approval of the ORM Framework, including revisions thereto;

Annual review of the effectiveness of the framework;

Review and approval of the risk profile appropriate to the Companys growth strategy;

Require setting up by management of an appropriate system of internal control to effectively identify, assess,

monitor and control/mitigate operational risk, and monitor maintenance thereof,

Regularly receive, review and take appropriate actions and decisions on operational risk reports submitted bythe Senior Management;

Assess the ability and effectiveness of the Senior Management in managing operational risks; Ensure the regular audit of the Companys operational risk management system;

Put in place an appropriate employee training and reward-punishment system to promote operational risk

management and develop a risk-smart workforce and environment.

The Board may delegate risk-related responsibilities to the Risk Management Committee and the Audit Committee.In such a case, these committees must advise the Board about the risk reports they receive from management.

5


6/23

There shall be at least one (1) non-executive director in the Board with expertise in the area of risk management

(including operational risk) to provide independent insight.

Senior Management

Senior management, on the other hand, shall be responsible for the following: Implement the Operational Risk Management framework and be ultimately responsible to the Board for the

management of operational risks;

Set up an appropriate internal control system that will ensure the effective management of operational risk

Review of the risk exposure and the monitoring mechanisms on a regular basis

Regularly submit to the Board reports on overall operational risk management;

Ensure that for every organizational changes, each business unit's responsibilities in operational risk

management are clearly defined;

Equip operational risk management with appropriate resources, including but not limited to financial and human

resources;

Adjust operational risk management strategies in response internal and external events.

Risk Management Group and its Operations Risk Unit

There shall be a risk management office, named the Risk Management Group which must be independent from otherbusiness units in the organization in order to ensure consistency and effectiveness of risk management. RISK

MANAGEMENT GROUP, specifically its Operational Risk Unit, shall be responsible for defining the Operational

Risk Management Framework and related policies, and ensuring enterprise-wide and consistent implementation

thereof.

It shall be responsible for the following:

Formulation and coordinating implementation of risk policies and procedures, for approval by the Board,

including but not limited to policies and procedures that will identify, assess, mitigate and monitor operational

risks, report results of operational risk assessments;

Development, implementation review and reporting of results from bottom-up self-assessments resulting

in a specific operational risk profile for the business lines highlighting the areas with high risk potential, andmonitoring of implementation of corrective actions

Loss event database development, maintenance, analysis and reporting;

Capture, monitoring, analysis and reporting of results of such analysis of Key Risk Indicators and Key

Performance Indicators

Development of plans, tools and techniques preparatory to the adoption of more advanced risk management

methodologies

Assist and consequently equip other business units with the knowledge and skills to identify, assess,monitor and control/mitigate operational risk;

Line Management

Primary responsibility for identifying, assessing and day-to-day mitigating or managing operational risks rests with

Line Management. By "Line Management", this Framework refers to heads of business units who administer theactivities of the Company.

To perform this role, Line Management must:

effectively align the corporate and the business level strategies with the risk appetite and tolerance of the

Company;

be responsible for the training, competence and continuous professional development of the people. Though it

may appoint a staff within the department to take charge of operational risk management, it shall make all

6


7/23

members of the department aware of their risk-related responsibilities, including knowing risk management

policies and procedures..

implement on an on-going basis risk management approaches that will help identify and assess the operational

risks in the departments;

manage the risk profile of its own department, and coordinate and establish with other offices a cross-functionalapproach in managing common risks that impact their respective activities.

Internal Audit Division

The Internal Audit shall not be directly involved in other departments operational risk management. It shall

independently audit the adequacy and effectiveness of the

7


8/23

8


9/23

Companys ORM Framework and internal controls. Specifically, it shall:

check compliance by all members of the organization with internal controls;

report its findings and propose corrective actions to the Audit Committee, which shall, in turn, advise the same

to the Board of Directors, for appropriate action;

check the Companys capability to timely and effectively handle operational risk events;

check the adequacy level of the Companys capital provisions for operational risks.

9


10/23

Element 3: Developing the Corporate Risk Profile

The Companys strategies and resources must be adjusted to the risks it actually faces and is willing to tolerate. To

do so, it must know its corporate risk profile. Developing a corporate risk profile involves taking stock of the

organization's operating environment, identifying key risks, and reviewing the organization's capacity to deal with

these risks. The corporate risk profile is approved by senior management, reported to the Board of Directors, and

updated annually.

Considering all these risks, the Company shall then define its risk appetite and tolerance.

Risk appetite is the amount of risk the Company is willing to accept in the normal course of business as it

pursues its strategic and financial objectives. Risk taken within appetite may give rise to expected losses,

but these should be sufficiently exceeded by expected earnings.

Risk tolerance is an assessment of the maximum risk the group is willing to sustain for short periods of

time. It emphasizes the downside of the risk distribution, and the groups capacity to absorb unexpectedlosses. The capacity for unexpected losses is dependent upon having sufficient capital and liquidity

available to avoid insolvency. Risk tolerance typically provides an upper boundary for the groups riskappetite.

In developing a corporate risk profile, it will involve the following activities:

Planning and preparation;

Conducting an environmental scan;

Understanding the organization's risk tolerance;

Assessing current risk management capacity;

Developing risk response; and

Stating or finalizing the corporate risk profile.

Planning and Preparation

There must be a process methodology, approved by senior management, that will provide a structured and

disciplined approach to collecting the necessary data for developing the corporate risk profile. These methodologies

will identify the organization's threats or risks and provide the process by which the Company may decide on howto deal with such risks. As of the date of this paper, these methodologies shall be, but not limited to, the following:

Risk and Control Self-Assessment or RCSA, which is a bottom-up self-assessments exercise to beconducted at department level, enterprise-wide. The results will be the specific operational risk profile for the

business unit, and, when collated the Corporate Risk Profile. The RCSA exercise will highlight the functions

and processes with high-risk potential.

Loss Events Database, a methodology for the capture and use of all operational risk loss data.

Key Risk Indicator (KRI) identification and assessment methodology,

These and other future approaches to be used must be able to assess the risk profile at the department level or

business line, so that appropriate risk management measures may be adopted at each department or line of business

In implementing these methodologies, briefings or workshops shall be conducted jointly by the Operational Risk

Unit of RISK MANAGEMENT GROUP and the Training Department of the Human Resources Group among themembers of the organization who are handpicked to provide support to the endeavor. These briefings or workshops

are meant to gain support for and understand the corporate risk profile development program. The briefing or

workshop would cover the following:

Risk management concept;

Corporate risk profile concept and objectives;

Roles of and expectations from participating business units or individuals; and

10


11/23

What information needs to be collected to develop the corporate risk profile, how this will be done, and

what will be done with the information collected.

Conducting an Internal and External Environmental Scan

Internal and external risk factors that could significantly and adversely influence or affect overall managementpriorities, performance, and achievement of corporate objectives must be identified through environmental scan or

risk identification process. The scan includes the following:

the identification and description of internal and external risks that significantly influence the achievement

of the organization's objectives (key risk areas);

an overview of the department's capacity to manage risk in terms of existing competencies and systematic

processes;

an identification of target risk units (activities, operating groups, systems, and programs that require

specific attention because they entail significant potential risks); and

systematic methods of managing risk for the priority target risk units.

Risk data collection may be done through:

techniques like brainstorming;

official sources of risk information like audit reports, performance reports, and other managementinformation systems

surveys or interviews

All risk areas or information identified during the process must be classified as to what functions the risk is

identified with, types and/or sources of risk, a ranking scale. The data will then be organized by program, business

line, discipline or functional area, geographic location, type of risk, sources of risk, or a combination of these and

other relevant categories.

Understanding the Organization's Risk Tolerance

An organization's tolerance for risk varies with evolving and prevailing conditions in its internal and externalenvironments. It is necessary to understand the organization's risk tolerance so that the appropriate measures in

handling the risks may be applied.

In understanding the organization's risk tolerance level, the following must be considered:

the organization's operating control policies;

the organization's performance expectations and actual performance;

previous reactions of the organization on past risk events and issues;

shareholder expectations;

regulatory constraints; and

economic environment.

Assess Current Risk Management Capacity

The following must be identified to fully understand the organization's capacity in managing risks:

resources of the Company which can be used to manage risks, and adequacy thereof; skills of human resources.

Developing the Initial Risk Response

All collected information must be used to come up with assumptions, which need to be validated and analyzed.

Analysis should cover:

11


12/23

assessment of all the risks facing the organization in terms of likelihood and impact on achievement of

corporate objectives;

identification of which risks need to be managed first, and at what level of the organization; and

linking of the risks to corporate objectives; and

ways or options to manage such risks.

The Company shall have the following options to reduce its risk exposures: Avoid the risk by not engaging in the activity

Reduce risk exposure by buying insurance

Accept the risk: But when the Company does so, it may use any of the following strategies:

Pricing: Getting a return commensurate with the risk posed by an activity.

Capital:Maintaining a strong capital position in order to absorb possible loss from taking on more risk.

Controls:Having in place the necessary systems, processes and procedures (collectively referred to here as

a risk management system) to identify, assess and control risks by keeping them at acceptable levels.

Stating the Corporate Risk Profile

The final step is to produce a document depicting the corporate risk profile. This document will then be presented to

the Board of Directors for review and approval.

12


13/23

Element 4: Institutionalizing the Risk Management Process

Management of risk must be sustained all through out the organization, by making it an indispensable part of the

Companys everyday life. All members of the organization must be committed to sustain it, apply it at all kinds

and levels of activities, and make it part of the decision-making process.

The day-to-day management of operational risk exposures shall be through the maintenance of the following: standard process of identifying, assessing, mitigating/controlling and reporting risks when introducing new or

revising existing products, processes or systems;

system of basic internal controls to ensure the safety and soundness of Company operations;

risk reporting system to ensure prompt and accurate escalation of risk issues to appropriate bodies; and

risk mitigation programs including but not limited to Business Continuity Management and the Operational

Risk Insurance.

The Standard Risk Management Process

A rigorous risk review and signoff process (or risk management process) shall be applied when introducing new orrevising existing product, process or system. For the purpose of this paper, product, process and system are defined

as follows:

"Product" refers to all products and services being offered or will be offered by the Company, such as

Peso Savings Account, deposit pick up, Super Payroll.

A business "Process" is a set of coordinated tasks and activities that will lead to accomplishing a specific

organizational goal. Examples of which are cash deposit, Manager's Check processing, loan release, sale ofacquired assets, purchase of office supplies, credit review, sale of foreign exchange, GOVERNMENT

reports generation.

"System" refers to technology-related solutions, or computer system, or a network of related computer

software, hardware, and data transmission devices, such as Platform Companying, Easymatics, OPICS,

Financial Management System.

Thus, no new product, process or system, or revisions or improvements to those already existing shall beimplemented without such new or improved product, process or system having to go through the standard risk

management process first.

Primarily responsible for ensuring and documenting compliance shall be the product champion, or process or system

owner. The same format used for the Companys Risk and Control Self-Assessment shall be used for conducting a

risk assessment of new or revisions to existing products, processes and systems. All members of the organization

who are involved in the conceptualization, review, testing and/or implementation of such initiatives shall review and

sign off the risk assessment before the initiatives are implemented.

The risk assessment or the Standard Risk Management Process shall involve the following steps:

1. Risk Identification: This involves defining or identifying the problems or threats to the organization as a whole,

or for each activity or function or procedure involved in implementing the product, process or system;

2. Risk Assessment: This involves (a) analyzing key risk areas, the types or categories of risks, and the degree of

exposure to such risks (expressed as likelihood and impact); (b) ranking risks as to severity and prioritization of

management;

3. Risk Mitigation /. Control: This involves (a) defining risk management objectives and expected outcomes for

each of the identified ranked risks; (b) Identifying and analyzing mitigation options on how to minimize threats

13


14/23

and maximize opportunities; and (c) choosing the appropriate option based on perceived risk tolerance of the

organization;

4. Risk Reporting: This involves identifying ways to monitor and report identified risks when the product, process

or system is already in place.

Risk Reporting

The Company shall have a system of monitoring and reporting operational risk status and material losses. Material

losses, critical risk issues or operational risk events should be reported to the Board of Directors, through the Risk

Management Committee. But such report must be supported with proposed measures to mitigate or control the risks.

At the very least, the Board of Directors must be apprised of the following reports:

- Results of KRI (Key Risk Indicators) monitoring system

- Analysis of Loss Events Database information

- Internal Audit reports

- Insurance Report

Core Operational Control Standards

The Company shall have a system of basic internal controls, called the Core Operational Control Standards, forthe effective management of operational risk. The Companys Core Operational Control Standards are the

policies, procedures and practices established to help ensure that the Company personnel carry out board and

management directives at every business level throughout the Company. These activities help ensure that the

board and management act to control risks that could prevent the Company from attaining its objectives.

The Core Operational Control Standards shall include, but not limited to, the following:

Proper Accounting Records

Documented, updated and disseminated policies and procedures for all products, processes and systems;

Establishing approvals and authorization for transactions and activities;

Reconciliation; Review of operating performance and exception reports;

Establishing safeguards or physical controls for use of assets and records ;

Segregation of duties to reduce a persons opportunity to commit and conceal fraud or errors;

Requirement on mandatory leaves;

Rotation of duties;

Number control;

Knowledge of Outside Activities of Employees;

Sound Recruitment Policies; and

Independence of the Internal Audit.

Proper Accounting Records

The Company must maintain at all times accurate, updated and complete accounting records of all its transactions.These records should contain sufficient details to meet management and supervisory needs, and to allow future audit

investigations to trace completed transactions to their point of origin. The Companys Chart of Accounts shouldconform to Government regulations. All accounting entries, including corrections or adjustments thereof, should

have proper approval. Members of the organization with bookkeeping function should not have cash-handling duties

and should never be in a position to originate or dominate accounting entries.

14


15/23

Adequate and Documented Policies and Procedures

The Company shall establish and document policies and procedures to cover all business activities. These policies

must be presented to and approved by the Board prior to implementation, and disseminated to all concernedindividuals and business units.

Policies and procedures must, at least on annual basis or whenever necessary, be reviewed and updated to ensure

they reflect the Companys changing environment (i.e., internal requirements and changes, new regulatory

requirements) and the Board of Directors' current tolerance for risk.

There must be provided policies and procedures governing review and approval of significant policy and procedural

exceptions. The documented exception policies and procedures should provide the mechanics to secure exceptionapproval and identify the persons responsible for approving the same.

All documented policies and procedures must contain the following basic elements to ensure that the message the

Company wishes to convey is clearly understood by the intended users thereof:

Purpose statement A statement describing the activities covered by the policy and the risks controlled

through the policy.

Objectives A description of the objectives to be achieved through the effective implementation of the policy.

General Policy A statement describing the policys relationship to the Companys general strategies. The

policy should be consistent with stated Companywide objectives and strategies.

Authority A description of the management structure (committees and individuals) authorized to engage inthe activities covered by the policy.

Responsibility A description of the management structure (committee and individuals) responsible for

implementing the policy.

Policy exceptions A description of the process and procedures for approving exceptions to policy

parameters.

Policies and/or procedures authored by the business unit that intends to use them must be reviewed and signed off by

an independent office prior to implementation, to check for the following:

Consistencies with established practices and controls in the Company;

Compliance with regulations and internal policies; and Impact on other offices.

Transaction Approvals, Authorizations and Verifications

All Company transactions or activities must have prior approval by an authorized officer who is in the best

position to approve or execute decisions or transactions up to limits established by the Company. Approval maybe signified by the approval authority's full signature or initials manually affixed on original copy of the transaction

document or by the electronic equivalent of a signature.

Approval Authority is the authority to approve or execute decisions or transactions up to limits established by the

Company, and where the approver is ultimately responsible for the appropriateness, correctness and accuracy of

the decision or transaction which he/she is approving, or the details on the documents he/she is signing on.

In defining authorities, the Company shall adhere to the requirements government institutions, and the prevailinginternal requirements and organizational structure of the Company. Only the Board of Directors, the Executive

Committee, the Chief Executive Officer, the Chief Operating Officer and the Senior Management Committee may

define signing authorities or approve the creation of committees, task forces, new offices or Responsibility Centers

with approval authorities.

15


16/23

Transaction Verification/Validation

Verification and validation of transaction details and activities are important control activities. The term

verification/validation shall mean that prior to the processing of or effecting a Company transaction, the identityof the client/s has been established and the source of fund and the purpose of the transaction have been properly

determined.

The following control measures shall be observed in verifying/validating the authenticity of the transaction:

Design and Use of Documents and Records to Help Ensure that Transactions and Events are Recorded:

Documentary requirements play a vital role in any transaction of the Company. Thus, to effectively

ensure the authenticity and enforceability of any transaction between the Company and the clients,standard forms must be used and accomplished by clients.

Signature Verification: The signature of the client in the transaction documents/ forms shall be verified

against the IDs presented by client and/or signature cards on file with the Company. The Company

shall perform signature verification as one of the control measures in validating the authenticity of the

transaction.

Confirmation of Clients Identity: The submission by client of the acceptable identification requirements(IDs) must be observed to further establish the identity of the client. Verification shall be done by the

Company by requiring the client to present acceptable ID to determine if the client is in fact the personhe/she claims to be, and ensuring that the ID submitted by the client matches the name of the client on the

transaction document and the persons likeness matches the photo shown in the ID presented.

Dual Control Function

Dual control shall be defined as the verification of the work of one person by a second person to determine (1) that

proper authority has been given to handle the transaction, (2) that the transaction is properly recorded, and (3) thatthe proper settlement of the transaction is made. Such control may be physical; e.g. one person is witnessing another

person's execution of his job; or logical; e.g., a higher level authorization password is required to allow a transaction,

previously initiated by another, to proceed.

Dual Control is based upon the premise that, for a breach to be committed, then both parties would need to be in

collusion and, because one should always alternate the pairs of people, it would require a much greater level of

corruption in order to breach dual control procedures.

When there is a control issue, or the transaction is vulnerable to losses, the routine of the transaction should be so

designed that at least two or more individuals are involved in the completion thereof. In such cases, there should be

a maker and a checker, where the checker should always be a higher-level responsibility employee from the

business unit handling the transaction.

Processes or computer systems should be designed in such a way that a transaction will not be processed unless the

required maker and checker initials appear on the records of the transaction.

The maker and checker should not be related to each other within the third degree of consanguinity or affinity.

Both maker and checker shall be held responsible for the correctness of the transaction.

Reconciliation

Documentary requirements play a vital role in any transaction of the Company. Therefore, in no case shall

Company transactions be processed without the required validated documents.

16


17/23

Proper and adequate accounting records must be maintained by the Company. These records should be kept up-to-

date and shall contain sufficient details so that an audit trail is established. The Company must ensure that all

Company transactions are recorded and booked to their appropriate general ledgers and subsidiary ledgers. All

transaction media shall bear official approval by the authorized officer/s and should be initiated by the authorizedassociate from the originating unit and another person by checking them. Reconciliation/callback of transactions

posted shall be performed by a person other than the one who processed/posted the transactions.

Independent Checks on Whether Jobs are Getting Done and Recorded Amounts are Accurate

Direct Verification: Direct verification is another internal safeguard to protect the Company against

losses. As used in the profession, direct verification means the confirmation of accounts or records by

means of direct correspondence with the Companys clients. These accounts or records include deposits,loans, safekeeping and all other items which can be corroborated by the clients.

Independent Balancing: Independent balancing shall mean that transactions posted are reviewed by a

person other than the one who processed the transactions.

Safekeeping of Records: The Company shall retain all official records which have legal, administrative,

accounting and reference value to the Company or court or any other government institution. These

records or documents shall be retained for a period of at least five (5) years or permanently or inaccordance with the requirements of existing laws and regulations in the Philippines. Safekeeping of these

documents means both hardcopies and softcopies (whenever applicable) of the documents must be retainedfree from tampering or corruption within the assigned retention period. The Company must at all stages

in a transaction be able to produce accurate records and retrieve relevant information, to the extent that is

available, without undue delay.

Review of Operating Performance and Exception Reports

Top level reviews shall be conducted by the Board of Directors and senior management through presentations and

performance reports of various units of the Company. Top level reviews shall focus on the following:

Actual performance versus budget

Comparisons to prior periods

Performance versus competitors performance

A review of the reports showing actual financial results to date versus the budget will enable the senior management

to assess accomplishments against the committed goals, and determine whether there are gaps between actual and

desired performance. Likewise, questions raised by the senior management as a result of this review and the

response of lower levels of management represent a control activity which may detect problems such as control

weaknesses, errors in financial reporting or fraudulent activities.

Functional reviews are usually more detailed and occur more frequently than top-level reviews, and these are being

done to monitor functional areas or departmental activities. In functional reviews, the department or division heads

review standard performance and exception reports on a daily, weekly or monthly basis. Questions that are

generated as a result of reviewing the reports and the responses to those questions represent the control activity.

Physical Controls or Security of Assets

Physical Controls : Physical controls generally focus on restricting access to tangible assets, including cash and

securities. Control activities include physical limitations, dual custody and periodic inventories. The safeguard and

housing of assets, including the vault and the building quarters, demand adequate physical protection. Physical

control shall include the vault, grill door gate, keys that either make equipment inoperative, alarms and other

physical devices to protect the premises of the Company. It is extremely important that the Company pays close

attention to the security of its facility and all equipment, materials, records and files contained therein.

17


18/23

Joint Custody Function: Joint custody shall refer to the processing of transaction in the presence of and under

the direct observation of a second person. Both persons shall be equally accountable for the physical protection of

the items and records involved.

Treatment of Assets: Employees of the Company must protect its assets and use the same for authorized business

purposes only. For purposes of this policy, the assets of the Company shall be divided into the following four (4)major categories:

Proprietary Information: Proprietary information shall refer to any information or knowledge, the unauthorized

disclosure of which could disadvantage the Company competitively or financially, or subject the Company to

legal sanctions. Confidential information relating to the business and operations of the Company should not be

disclosed unless authorized by the Company and the law.

Funds and Property: Employees of the Company shall be responsible for safeguarding and making proper and

efficient use of its funds and property by following existing policies and procedures to prevent their loss, theft,

destruction or unauthorized use. At a minimum, controls must include a system of supervisory checks and balances

at all levels of the organization for all expenditures. Generally, all expenses must be accompanied by an official

receipt or supporting documents and must be duly approved by the authorized officers of the Company.

Records: The Company must safeguard and preserve the authenticity of all official records since transactions,payments or events can only be verified/validated through said records.

Goodwill and Reputation: Company associates should act in a way that will not endanger or detrimentally affect

the goodwill and reputation of the Company. The actions and behavior of the employees and the conduct of

personal business even outside the Company may affect the publics and the clients perception of the

Company.

System-Related Matters: New systems to be installed in the Company, if required, should be reviewed by the

authorized regulatory office/s prior to implementation. For new products and services introduced by the

Company, a system must be in place to support the development of said products and services. Likewise, settingup of a new system and enhancements of the existing systems must be cleared with the Companys Information

Technology Group.

Segregation of Duties

The duties of all the officers and employees of the Company must be segregated, clearly defined, understood and

documented. This is to reduce a persons opportunity to commit and conceal fraud or errors. In this regard, officers

and employees of the Company must have clearly defined, documented and updated job descriptions and theactivities being performed by each employee shall be subject to audit. The updated job descriptions must be made

known to and accepted in writing by the employee before he/she assumes the job responsibilities.

No one person should be allowed to complete a transaction from beginning to end. For effective control measures,

different people should be responsible for :

authorizing the transaction;

recording the transaction;

handling the related assets; and monitoring the transactions.

An appropriate internal control system requires that there is appropriate segregation of duties and that personnel are

not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimized and

subject to careful independent monitoring. There should also be periodic reviews of the responsibilities and

functions of key individuals to ensure that they are not in a position to conceal inappropriate actions.

18


19/23

No employee shall be permitted to process transactions affecting his/her own account.

If an associate is asked to relieve someone, the immediate supervisor of the reliever must ensure that there is no

conflict or control issue.

Requirement on Mandatory Leaves

Employees who handle sensitive positions shall be required to take an uninterrupted vacation within a consecutive

period prescribed by the Company.

Employees on vacation should stay away from Company premises.

A mandatory vacation schedule should be prepared for all the officers and employees of the Company. An

uninterrupted vacation from the Company within the prescribed period provides a simple yet effective internal

control. An enforced absence from daily work will also make an officer or employee physically and mentallyrefreshed.

If possible, the mandatory vacation schedule should be unannounced to prevent the concerned employee from

manipulating Company records prior to his/her vacation leave. However, the supervising officer must ensure that

there is always a reliever or alternate who can take the place of the employee who will go on mandatory vacation

leave. During the employees absence, any errors or inconsistencies may be detected, and exceptions can be

investigated.

Rotation of Duties

Rotation of duty assignments is one of the control procedures that is closely related to mandatory vacations as both

result in a forced absence from regular duties. Mandatory vacations, however, are planned while rotations are

enforced without previous notice. The rotation should be of sufficient duration to be effective. Rotation of

assignments should be irregular and unannounced, and should last long enough to permit disclosure of any

irregularities or manipulations.

Rotation of duties is not only a basic internal safeguard but also a valuable aid in the training and development ofemployees. It will develop among employees the necessary skills and experience which they would need when they

substitute for associates who are absent due to illness or vacation. It will also prepare them for positions of greater

responsibility.

Number Control

Sequence number controls, usually incorporated in the accounting system, shall be used in registering notes, in

issuing official checks and in other similar operations. Numbers on transactions shall be required to control

processing and to identify individual transactions.

Number controls should be monitored by a person who is detached from the particular operations involved. For

example, accounting for the consecutive numbers on money orders should be done by a person who does not preparethe checks.

Sequentially pre-numbered instruments or forms make the operation of number controls more efficient. Unissued

pre-numbered instruments that can be used to obtain funds should be safeguarded through joint custody by the

designated custodians.

19


20/23

Knowledge of Outside Activities of Employees

Non-working activities of the members of the organization must be checked, including any immediate or sudden

change in their appearance or habits, which may be indicative of misconduct or spending habits that go beyond the

limits of their income.

In this regard, all members of the organization shall be required to submit on an annual basis a statement of theirassets and liabilities, certified as true and complete by the former, and may be independently checked or verified by

the Company.

High-risk employees (due to financial difficulties as may be further defined by the Human Resources Group) shall

not be assigned to positions handling financial transactions or records.

Outside employment of the members of the organization must be disclosed and must have prior approval from the

Human Resources Group.

Sound Personnel Policies

(a) Recruitment There must be a written formal procedure for employing new people to ensure that only men and

women of competence and integrity, and who are qualified to handle responsibilitie should staff theCompany. All relevant information, including previous employment, credit references, psychological state,

should be secured and made the basis for the decision to whether or not employ the person.

(b) Fair and Just Salary and Benefits Scale To attract and keep honest staff members, the Company should pay

a fair salary consistent with earnings and growth of the financial institution and with the ability of the individual

to work according to the requirements of his position. Paying employees with fair and just salaries can reduce

the temptation to steal and minimize its rate of personnel turnover.

(c) Open Communication Channels Between Employees and Management Employees should be free to discuss

with the Human Resources Group, their supervising officers or other designated offices their personal problems,or any work-related problem or perceived violations to established policies and procedures, without fear of

criticism or censure.

(d) Code of Conduct or Discipline or Ethics The Company shall have a code of discipline or ethics or conduct

that will serve as a guide for the conduct expected of the officers and employees in their day-to-day pursuit of

company objectives. This code of discipline should also spell out what constitutes violations and their

corresponding penalties. All members of the organization must be made aware of, and certify having read and

understood, the Code. Any changes to the Code should be communicated to all members of then organization.

Independence of the Internal Auditor

There shall be an Internal Audit office which should be independent of Company management, and must be

objective in its review of Company transactions. The Internal Auditor should not develop and install procedures,

prepare records nor engage in any activity which he normally would be expected to review or appraise.

Risk Mitigation Programs

Business Continuity

To ensure business continuity, and minimize losses resulting from disruption of business operations, the Company

shall have a Business Continuity Management Program that will cover at least the following:

20


21/23

1. Disaster Risk Reduction Program, or a program that will ensure that in all of the Companys activities, the

risks are identified and provided measures to reduce or mitigate the same;

2. Crisis Management Program, or the Emergency Preparedness Plan, which will provide guidelines on how to

respond to all types of man-made and natural calamities or threats that may hit the organization, such as but not

limited to fire, flood, earthquake, employee strike, and bomb threats. The primary purpose of this program is toensure safety of personnel and protection of resources.

3. Business Continuity Plan, which will guide the Company in resuming business operations within anacceptable timeframe after a disaster.

and

4. Disaster Recovery Plan, which is a clearly defined and documented plan which recovers IT and

telecommunications capabilities when a disaster occurred.

Outsourcing

The Company shall have risk management policies with regard to outsourcing of functions to ensure that

outsourcing is subject to rigorous contracts and service agreements which clearly specify the obligations,

accountabilities and rights of the Company and the service providers. The outsourcing guidelines must comply

with the basic requirements of regulatory bodies as regard outsourcing of functions.

Insurance

Whenever necessary, the Company shall purchase insurance to mitigate operational risks.

Capital Provisions

The Company shall make adequate capital provisions for the operational risk it undertakes, in compliance with the

requirements of regulatory bodies.

21


22/23

Element 5: Maintaining a Risk- Smart Leadership, Structure and Culture

Operational risk management is a continuing process. To ensure this, it is essential to embed risk management in the

organization. Developing a risk culture can be done by:

Having an organizational structure that implements the ORM Framework, as discussed under Element No. 2.

Regularly communicating the risk management program to all members of the organization;

Selling the program as a team or collaborative effort; involving everyone in the implementation thereof; andmaking each member of the organization an important part of the team;

Having in place a training and education program for all members of the organization, which must be

comprehensive, visible, and ongoing;

Setting in place all the necessary, adequate and appropriate information technology and communication tools

that everyone may use in identifying, assessing, mitigating / controlling and reporting operational risks;

Developing human resource practices that encourage involvement in risk management, like the use of

recognition and reward initiatives; and

Conducting regular surveys of all the members of the organization to determine their attitudes to risk

management; and

Making risk management an essential part of the organization's and its people's Annual Performance Appraisal.

Department-Level Risk ManagersAs discussed under Element No. 2 of this paper, line management shall be primarily responsible for implementingrisk management processes. However, to reinforce accountability and ownership of risk and control, there must be

appointed in each department or business unit from among the incumbent members thereof a "Risk Manager" who

will assist line managers in driving the risk management program in the department or business unit. The Line

Managers and the Risk Managers shall, in coordination with and/or with the assistance from the Operational Risk

Unit of RISK MANAGEMENT GROUP, shall implement the ORM Framework and form the Companys core

team of risk-smart individuals. These individuals shall be trained to become the Companys positive change

agents.

Communicating Risk Management Programs

Risk management programs, policies, directives and the like must be promptly communicated to all members of the

organization by the Operational Risk Unit of RISK MANAGEMENT GROUP and all other offices which may,

from time to time be involved in the implementation of the ORM Framework. Except when confidentiality must be

protected, everyone must have an access to documents pertaining to said risk management programs, policies and

directives. Any activity that will be launched in support of the risk management program must be clearly articulatedso that successful implementation thereof will be ensured. And as provided for in the Human Resources Manual of

the Company, supervising officers must ensure that all communications from management must be shared and

discussed with their respective subordinates.

Training and Education Program

By developing a comprehensive training and education program, the organization will have a workforce that will:

embrace the risk management culture and consider itself as a vital member of the organization;

have full understanding of the risk management process;

ensure consistent and correct implementation of the risk management process;

adhere to the need for continuous growth and improvement in its role as a risk manager.

The emphasis of the program is that everyone has a role to play in the process and that risk management is essentialin preventing loss.

The Operational Risk Unit of RISK MANAGEMENT GROUP shall coordinate with the Training Department of the

Human Resources Group in designing, implementing and continuously improving the training and education

22


23/23

program. But at the helm of this activity shall be the Board of Directors and the Senior Management, both of which

shall be recognized as the owner and driver of the program. The Training Department shall ensure enterprise-wide

coverage of the program.

The risk management training and education program should include:

Risk management concepts and principles;

Risk management terminologies; Expected benefits by the organization as a whole and by the members of the organization;

Risk management organizational structure, and the roles and responsibilities of each member thereof;

Risk management processes and tools.

Information Technology Solutions

The Company shall establish and maintain a quality, corporate-wide IT infrastructure that will incorporate thecomponents and requirements of the ORM Framework. The computer systems shall help in:

providing mitigating controls in an end-to-end transaction cycle for each Company transaction or

process;

the timely, accurate and complete identification of risks per Company transaction or process;

the subsequent reporting thereof to the line managers and risk managers of the department or business unit

and the Operational Risk Unit of RISK MANAGEMENT GROUP; consolidating all related risk management data for easier analysis by the Operational Risk Unit of CRIMS;

Encourage Involvement

The Companys work environment must be supportive of any initiative that will lead to successful implementation

of the risk management program. Support is demonstrated by:

motivating and providing venues for continuous learning;

valuing, encouraging and embracing new ideas and innovations; and

rewarding those that have contributed positively to the attainment of the goals of risk management.

Annual Survey

The Operational Risk Unit of RISK MANAGEMENT GROUP shall undertake an annual risk management survey

of randomly selected members of the organization. This is to gauge the effectiveness of risk management - related

programs and to provide an opportunity to solicit suggestions on how to improve the program. And issue raised by

staff must be reported to management and acted upon accordingly.

Annual Performance Appraisal

Each business unit and each member of the organization must take ownership of particular risks and associated

controls relating to the job and/or transactions they are handling. The successful implementation of the risk

management program or the failure thereof must be considered in the performance appraisal for the individual and

the business unit.

23

The ORM Framework_v2

Documents

Transcript of The ORM Framework_v2