1
Rules for Risk: A Model for Managing Operational Risks
Featuring operational risk expert Philippa Girling, former head of operational risk at Morgan Stanley and Nomura
NOVEMBER 14, 2012Sponsored by
Questions?
OCTOBER 17, 2012
To ask a question … click on the “question icon” in the lower-right corner of your screen.
2
Follow the Conversation on Twitter
Use #HBRwebinar
@HBRExchange
Rules for Risk: A Model for Managing Operational Risks
Featuring operational risk expert Philippa Girling, former head of operational risk at Morgan Stanley and Nomura
NOVEMBER 14, 2012
3
Today’s Speaker
Philippa GirlingOperational Risk Expert
Rules for Risk: A Model for Managing Operational Risks
NOVEMBER 14, 2012
Philippa Girling, Esq., FRM,November 14th, 2012
RULES FOR RISK: A MODEL FOR MANAGING OPERATIONAL RISKS
6
4
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK
Definition:Risk of loss resulting from failed or inadequate people, systems, processes or external events
Includes legal risk
Excludes reputational risk
7
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK & SANDY
Hurricane SandyPower
Connectivity
Phones
Physical damage
Exchange shut down
Life safety
Business continuity & disaster recovery
8
5
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK AT THE OLYMPICS
People: Nervous athletes, opinionated officials, aggressive press, terrorists, disgruntled Londoners, (missing) security guards, confused volunteers, crazed fans, lost children, Heads of State, visiting dignitaries and the list goes on
Processes and systems:Stadium building and preparation, ticket sales, transportation, opening ceremonies, closing ceremonies, Olympic village management, cleaning, feeding, running races, organizing matches, safety checks of the parallel bars, awarding medals, playing anthems, global broadcasting, keeping that darned flame alight and the list goes on.
External Events:Two words – London Weather.
9
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK IN THE MARKETS
Knight CapitalTechnology risk leads to $400m loss
Process failure
UBS Rogue TraderKweku Adoboli
Unauthorized trading leads to over $2b loss
Some Societe Generale control failures repeat
JP Morgan WhaleBruno Iksil leads trading strategy that results in at least $2b loss
Standard Chartered and others…$340m AML fine
10
6
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
MANY IMPACTS
FinancialDirect & indirect
ReputationalShare value decline
Client
Regulatory & Legal
Life Safety
11
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK CATEGORIES
Internal FraudLosses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party.
External Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party.
12
7
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK CATEGORIES
Internal Fraud
External Fraud
Employment Practices and Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events
13
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK CATEGORIES
Internal Fraud
External Fraud
Employment Practices and Workplace Safety
Clients, Products & Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.
14
8
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK CATEGORIES
Internal Fraud
External Fraud
Employment Practices and Workplace Safety
Clients, Products & Business Practices
Execution, Delivery and Process ManagementLosses from failed transaction processing or process management, from relations with trade counterparties and vendors.
15
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK CATEGORIES
Internal Fraud
External Fraud
Employment Practices and Workplace Safety
Clients, Products & Business Practices
Execution, Delivery and Process Management
Business Disruption and System FailureLosses arising from disruption of business or system failures
16
9
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK CATEGORIES
Internal Fraud
External Fraud
Employment Practices and Workplace Safety
Clients, Products & Business Practices
Execution, Delivery and Process Management
Business Disruption and System Failure
Damage to Physical AssetsLosses arising from loss or damage to physical assets from natural disaster or other events.
17
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK CHALLENGE
Definition“The risk of loss resulting from inadequate or failed internal processes, people and systems or external events”
Similar to other risk types:Rigor should be applied to the management of operational risk.
Failure to properly manage operational risk can result in a misstatement of an institution’s risk profile and expose the institution to significant losses
Regulatory requirement
Business drivers
Different to other risk typesTypically not directly taken in return for an expected reward
Exists in the natural course of corporate activity
18
10
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
RISK MANAGEMENT GOALS
Identify
Assess
Control & Monitor
Mitigate
&
Hold capital as protection
19
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
THESE TENETS AT THE OLYMPICS
All seven categories of operational risk were present in the headlines:Olympic badminton players disqualified for trying to lose - Internal FraudLondon Olympics Fake Tickets Create ‘Honeypot’ for Criminals - External Fraud Empty seats at Olympic venues prompt investigation - Clients, Products and Business PracticesDispute Between London Olympics and Musicians Union Heats Up - Employment Practice and Workplace SafetyNATB calls London Olympics ticket distribution a failure - Execution, Delivery and Process ManagementOlympic security shortfall called “absolute chaos” - Damage to Physical AssetsLondon 2012: Traffic jams and impact of Games Lanes - Business Disruption and System Failure
Identify, assess, control and mitigateManagement use a common model to identify and assess the impact of risks to their business. For each risk, the likelihood and consequence are identified, management controls and the frequency of monitoring are confirmed and results reported.
Annual Report of the The London Organising Committee of the Olympic Games and Paralympic Games Ltd (LOCOG) p33
20
See blog at www.pxgassociates.com for details
11
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK FRAMEWORK
21
Gov
erna
nce
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK FRAMEWORK
22
Culture and Awareness
Gov
erna
nce
12
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK FRAMEWORK
23
Culture and Awareness
Policies and Procedures
Gov
erna
nce
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK FRAMEWORK
24
RCSA* Scenario Analysis
Key Risk Indicators
Internal Loss Data
External Loss Data
Culture and Awareness
Policies and Procedures
Gov
erna
nce
* Risk & Control Self Assessments
13
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK FRAMEWORK
25
RCSA* Scenario Analysis
Key Risk Indicators
Internal Loss Data
External Loss Data
Measurement and Modeling
Reporting
Culture and Awareness
Policies and Procedures
Gov
erna
nce
* Risk & Control Self Assessments
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK FRAMEWORK
26
RCSA* Scenario Analysis
Key Risk Indicators
Internal Loss Data
External Loss Data
Measurement and Modeling
Reporting
Culture and Awareness
Policies and Procedures
Ris
k ap
peti
te
Gov
erna
nce
* Risk & Control Self Assessments
14
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
GOVERNANCE
Who owns operational risk function?CRO, COO, CFO?
What does operational risk function own?Business continuity?
SOX?
Information Security?
New product approval?
Supplier risk management?
Business line operational risk managers?
27
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
CULTURE AND AWARENESS
Be clear about the brand
Market the benefits and expectations
Train broadly
Engage sponsors
28
15
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
POLICIES AND PROCEDURES
Regulatory expectationEngagement toolBest practiceAudit toolWrite:
Operational risk policyInclude standards, governance and monitoring and enforcement
Loss data procures
Assessment procedures
Metric procedures
Reporting procedures
29
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
LOSS DATA
Internal loss dataSet clear standardsProvide training and toolInclude regulatory and business requirements in design
External loss dataTap available sources: Algo First, ORX, SAS
Uses of loss dataIdentify risk areas and control weaknessesAgree mitigating actions and ownersPrioritize risk reductionProvide information for RCSA and Scenario AnalysisIdentify potential metrics
30
16
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
ASSESSMENT
Risk and Control Self Assessment (RCSA)Workshop approaches
Questionnaire approaches
Scoring methods
Score inherent and residual risk?
Score control effectiveness (design and performance)
Consider multiple impact categories
Timing: annual, quarterly, continuous
Attach metrics
Tools available
31
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
SCENARIO ANALYSIS
Process to identify rare catastrophic risks
Uses:Input into capital calculation
Engage business in very large operational risk discussion
Identify key areas for risk mitigation
32
17
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
METRICS AND KRIS
Not everything that counts can be counted and not everything that can be counted, counts.
Select metrics wisely
Don’t frisk the ant, while the elephant walks by
Consider metrics after RCSA, attach to key risks and controls
Define carefully
Ensure clear ownership
Quality check
Use them as tools in the toolbox,
33
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
CAPITAL MODELING
Basel II requirement that operational risk capital be held using an advanced measurement approach
Include all four elements in capital model:Internal loss data
External loss data
Scenario analysis
Business environment internal control factors
34
18
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
REPORTING
Never produce a ‘so what’ report
Provide risk analysis and require decisions
Use reporting as escalation tool under governance structure
Include:Relevant loss data trends and concerns (internal and external)
Metrics analysis highlighting risk reduction or increases
Assessment output and themes
Progress on risk mitigating actions
Design to suit the audience
35
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
RISK APPETITE
Difficult to articulate
Consider:Loss data ‘limits’
Metrics thresholds
Qualitative risk assessment scoring
All impact types
36
19
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
ENTERPRISE RISK MANAGEMENT
37
Reputational
Geopolitical
ERM
Market
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
OPERATIONAL RISK FRAMEWORK
38
RCSA* Scenario Analysis
Key Risk Indicators
Internal Loss Data
External Loss Data
Measurement and Modeling
Reporting
Culture and Awareness
Policies and Procedures
Ris
k ap
peti
te
Gov
erna
nce
* Risk & Control Self Assessments
20
Rules for Risk: A Model for Managing Operational Risk
© Philippa Girling 2012 Reproduction only with Permission
Q&A
Philippa Girling
973 460 2745
39
Questions?
OCTOBER 17, 2012
To ask a question … click on the “question icon” in the lower-right corner of your screen.
21
Thank you for joining us!
NOVEMBER 14, 2012
This presentation was made possible by Zurich, a global leader in risk management services and insurance solutions. For more information about Zurich’s portfolio of products and services, visit:
www.zurichna.com
Sponsored by
Top Related