end-to-end for effective operational risk management...
TRANSCRIPT
An End-to-End Process Approach for effective Operational Risk Management
12 November, 201712 November, 2017
BioKamonrat joined Kiatnakin Bank in February 2011, as Senior Vice President - Department Head of Operational Risk Management. As such, she is responsible for implementation of KiatnakinGroup of Operational Risk Framework and oversight all
In her last role, she was the head
of operational risk management;
responsible for implementing of
KGroup operational risk
management framework.
For Education Backgroud, she Framework and oversight all credit ,non-credit ,and investment products related operational risk exposure. This includes IT and Cyber Risk.
Prior to Kiatnakin Bank, she worked at KBank for five years
KamonratKharawamit
SVP, Head of Operational Rsik
For Education Backgroud, she
graduated from Chulalongkorn
University, Accountancy Faculty.
In 2003, she was granted a full
Thai Government Scholarship to
study in USA and graduated
from Cornell University ; Master
Professional Studies in Applied
Statistics in May 2004.
Agenda
• Definition of Operational Risk and Loss Event
• 2017 COSO ERM Updated Framework and Key Changes
• Key Success Factor in Operational Risk Management
• End-to-End Process Approach
Credit Risk is the risk of default on a debt that may arise from a borrower failing to make required payments. In the first resort, the risk is that of the lender and includes lost principal and interest, disruption to cash flows, and increased collection cost.
Market Risk is the risk of losses in positions arising from movements in market prices
Operational Risk is the risk of loss resulting from inadequate or failed
Types of Risk
increased collection cost.
Liquidity Risk is the risk that a company or bank may be unable to meet short term financial demands. This usually occurs due to the inability to convert a security or hard asset to cash without a loss of capital and/or income in the process
resulting from inadequate or failed internal processes, people, and systems, or from external events. This definition includes legal risk, but excludes reputational risk
Strategic Risk is a possible source of loss that might arise from the pursuit of an unsuccessful business plan. Making poor business decisions, from the substandard execution of decisions, from inadequate resource allocation, or from a failure to respond well to changes in the business environment
What is operational risk?
“ Operational Risk is the risk of loss resulting from inadequate or failed internal “ Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This definition includes legal risk, but excludes reputational risk”
Types of Operational Risk
Process
Operational Risk Categories (BIS)
Cause
1. Internal Fraud2. External Fraud
ImpactImpact
People
System
External Factor
2. External Fraud3. Employment Practice and
Workplace Safety4. Client,Product, Business
Practice5. Damage to physical Asset6. Business Disruption &
System Failure7. Execution, Delivery, Process
Management
Operational Loss
Cyber AttackBangladesh Bank
Soc Gen, KervielInternal Fraud
Clients, Products, & Business Practice
Damage to Physical Assets
Business Disruption & Systems Failures
911 Attacks ������ � 2547������������ �������������
��������� � 2554
�������!""#��
Bangladesh Central Bank: US$ 81 Million Cyber-Attack
The Federal Reserve Bank of New York
• Took place in February 2016, when instructions to steal US$951 million from Bangladesh Bank, the central bank of Bangladesh
• Be issued via the SWIFT network
• Five transactions issued by hackers, worth $101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded, with $20 million traced to Sri Lanka (since recovered) and $81 million to the Philippines (about $18 million recovered)
• The New York Fed blocked the remaining 30 transactions, amounting to $850 million, at the request of Bangladesh Bank
• It was identified later that Dridex malware was used for the attack
Atiur Rahman, Governor of Bangladesh Bank who resigned from his post in response to the case
Unauthorized Cross-Selling and The Creation of Fake Accounts
John Stumpf, former CEO of Wells Fargo
• Employees were encouraged to order credit cards for
pre-approved customers without their consent, Employees also created fraudulent checking and savings accounts
• It has found a total of 3.5 million potentially fake bank and credit card accounts, the review found 528,000 potentially unauthorized online bill pay enrollments
• Bank was fined $185 million to settle three government
lawsuits over the bank’s creation of sham accounts
• The bank fired approximately 5,300 employees between 2011 and 2016 as a result of fraudulent sales
CEO of Wells Fargo
Who is Jerome Kerviel
Rogue Trading: SOC GEN Societe Generale
• Jerome Kerviel was a junior level derivatives
trader at Societe Generale, one of Europe’s largest banks
• Kerviel had been trading profitably in • Kerviel had been trading profitably in
anticipation of falling market prices; however, they have accused him of exceeding his authority to engage in unauthorized trades totaling as much as €4.9 billion (US$7.2 billion)
• Thousands of trades were hidden behind offsetting faked hedge trades
World Trade Center Attack, Collapse 9/11
These are losses incurred by damages caused to physical assets due to natural disasters or other events like terrorism and vandalism. Rapid and unexpected changes in climatic conditions have been a constant cause of concern in the business world for more than a decade in recent history..
Internal Fraud: $������������ �� ��%��� 499 #���"��
������������������� ��� 499,272,777.95 ���� 2552
Background:• ���& 33 �• ()�*+��-�+��/0�������1&23 ��4-)�3��� xx 6�7�� xx• �)����/03��� xx 3����8/�1 ���1:� 9 � (�;�*( �.�. 2542 <=� �.7. 2552
7&>3?��(:• ���1�:�����8/�8 2 �@� A?�7�?/��41�(����&-�(• ���1�:�����8/�8 2 �@� A?�7�?/��41�(����&-�(• �1�:�7B>+���:� 7 +:��A828��/0A?(���C�7�D0��78�:�
���:4��/�8:• 3���������7��C-����4� ���EC/8����/;�-����F����4-)� ���3��� A *:43���B -)�1 419 ������ �����1? 499.27 :���� *:43���������F���������EC/���(��� +�D�IB�/0��/0�1����-)�1�8/�1�� �4+1��1��/0 20 �.�. 2551 <=� 20 �?.�. 2552• ��<B�2���� ATM -����EC/8����/;�-����F����4-)� ��� 3��� A *:43���B A������EC/���(��� +�D�IB�/0��/0�1����+:��6�7����3��?3*71� 1�:4 30 ������ ������:4 30,000 ��� �1?����1�:4 700,000 - 900,000 ��� �&�1� ���1:� 1 �7�=0� 28���O���1:�+:���:��� C1��/0�4�����A?�8 �0��)��������&-�(�/0�7�D0��7�?�1�(�����(28�A??/�7�3�3��
�4�4�1:�:• �4�4�1:��/0�)�����&-�( 1 � 5 �8D�
Damage to Physical Assets: ��������� � 2554
��������� ������������� 2554 �������� !�"��#����������� $ ��%&�'��� ��(�����" ��)��!" �����#�* ����"�+��!"�� "��(�����"���� 7 ��� ��-���!� &�'� �.�#���/�� 5 ��� ��'���"/��# 2 ��� "#$������!"����'"�0 840 $����� "3� � !�"��#�����!" 237,410 ���7��
Damage to Physical Assets: ����'�� �#()�������*#������'� � 2547
• �+(&���>7:/03/�?�/0��8�=;���4��OA��� 2547 3�I:��4�������&*�����(�D;�/0 �7�( 6 -��+1�8 7D� B��R( ����� ��4�/0 �4�� 3(B: *:4(��� ��+�� �����6��?C�(7��;��0��+E @=0�A?�7�����S?������4��OA�� 71�?3BE�3/������+E+:1�8���:�1 *?������� ��-4-)���8��B�T��4���1>C��F��4�:��� 6 -��+1�8 �7�(����; *(?+�( ��7��;�/;�RA83�I:��4����4��D�(��O�WX�-A��28��1?��B����?��81�
• �31���6�7���/0��B���(�D;�/08���:�1 I:��4���;�)��+6�7��(����4��O�8�)����3�����D;�/0 �1?��;�(B ATM *:4�B6*:���:/0���(��(����4��O�3/�+�� 71�?�3/�+���;���3�I:(�:B�7�3�CD0����6�7��81�
Damage to Physical Assets: ������������ ������������������
1��/0 7 �.�. ��8�+(&��:�A+?6�7�� 3)������+E 28�-&8(��:���B�/0���1>C�; 10 ��7�� A @=0���+����R����3�� -��71�?�3/�+���/0��8�=;�)��+3)�����(�;�*( C�; 9-11 ��871�?�3/�+�� 7�871�?�3/�+����4?�> 100 :����
1/2
Damage to Physical Assets: ������������ ������������������
*I�������+��71�?�3/0�����-���+(&���>AZA+??�(����(�?*I3)����T&��T��+��)����: /�� ��* �9��+��:;��&:;���7�����3 �����0#&��.= �����+��#;* ��7���'�7 ��-� �(�#�"�>���#;�)����: �)����7&���������"��>�?�7�(����* ����(���:;��*"(� +� ���-�8��R���?B:*:4���3��3)�7�E: /�� ��"#��-� (���.3��+�"3���'������)� �� $ �"#���)��)������'���A7���(�'�>���#; $ ��(�'�>���#;"#��."#�����*"(;)�!� 20 �$��"(����)���'����: /�� ��* �)���'���� !�"��#;�������&����-)��!�������'���� 10,510 �7.
2/2
Operational Loss : Banking Industry• In banking industry, Operational Loss had occurred up to 23,061MB over three consecutive years while average
per year was 7,687 MB. Large Bank tends to have 3 year average significant OpLoss than others; 5,662MB.
OpLoss 3 Year Total
Industry = 23,061 MB
OpLoss 3 Year Average
Industry = 7,687 MBL
M
L
M
• Comparing to OpRisk capital; which calculation is mainly based on GROSS INCOME factor, % OpLoss/OpRisk capital was about 13%. The number tends to have higher proportion in bank with small sizes.
Unit: MB
%OpLoss to Capital
Industry = 13%
Unit: MB
L
M
S
M
S S
• OpLoss control in term of Risk management, have an influence on OpLoss decrease and gap expansion between profit and loss
4,643
*
Impact of Risk Management to Organization’s performance
* Estimate 12-Month Net Profit & OpLoss
*
No. of Event (#)
Net Profit (MB)
OpLoss (MB)
586
620536
413267
220 **
** Estimate 12-Month OpLoss Event
Agenda
• Definition of Operational Risk and Loss Event
• 2017 COSO ERM Updated Framework and Key Changes
• Key Success Factor in Operational Risk Management
• End-to-End Process Approach
2017 COSO : Enterprise Risk Management –Integrating with strategy and Performance
�The Original Framework is widely accepted and used to enhance and organization’s ability to manage uncertainty and to consider how much risk to accept as they strive to increase stakeholder value”
Why update the 2004 Enterprise Risk Management – Integrated Framework
“Since 2004, the complexity of risk has changed, significant new risks have emerged and boards have enhanced their awareness and oversight of risk management; therefore, updating to framework provides greater insight into strategy and the role of enterprise risk management in the setting and execution of strategy, enhance the alignment between organizational performance and enterprise risk management”
Explore how ERM practices support identification and assessment of risk that may impact performance
No longer focused on preventive the erosion of value and minimizing risk. It is viewed as integral to strategy setting and the identification of opportunities to create value
2017 COSO ERM : Key Changes
Alignment between
performance and ERM
Emphasizes relationship between risk
and value
Expand three concept1. The possibility of strategy and
business objective not aligning with mission, vision, and value
2. The implication from selected strategy
3. Risk to executing the strategy
Risk is not positioned as a separate activity. It is presented through the lens of supporting an organization’s operations, managing performance
and ERM and value
Focus on the integration of
ERM
Elevates discussion of strategy
The role of risk in strategy selection
• Risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its potential effect on an already-determined strategy.
• 2017 COSO will emphasize more on these concepts
• The possibility of the strategy not aligning with an organization’s mission, vision, and core values
• The implication from the strategy chosenThe implication from the strategy chosen
• Risk to executing strategy
A Focused Framework
Benefits of Effective Enterprise Risk Management
Increasing the range of opportunities
Identifying and managing risk entity-wide
Both positive and negative aspects of risk management can identify new opportunities and unique challenges
A risk can originate in one part of the entity but impact different part. Management identifies and manages entity-wide risk to improve performance
Benefit of Effective ERM
Increasing positive outcomes and advantage while reducing negative surprise
Reducing performance variability
Improving resource deployment
ERM helps improve ability to identify risk establish appropriated response, reducing surprises cost & loss
ERM allows organization to anticipate risk that would affect performance and enable them to put proper action
Obtaining robust information of risk allows management assess, overall resource needs, prioritize and enhance resource allocation
Agenda
• Definition of Operational Risk and Loss Event
• 2017 COSO ERM Updated Framework and Key Changes
• Key Success Factor in Operational Risk Management
• End-to-End Process Approach
Key Success Factors for Effective Operational Risk Management
1. Good Governance
Structure
2. Effective ORM Tools
3. End to end risk Management & Integrated Tools
4. Embedding ORM to Day to Day Operation
& Activity
Effective
ORM
Operational Risk Owner Under Three Lines of Defense
Manage day to day Operational RiskORM Framework and
Policy setting
Independent challenge and review of control
effectiveness
Business Unit Supporting UnitRisk ManagementCompliance Unit
Internal Audit
1st line of defense 2nd line of defense 3rd line of defense
• Risk Owner• Identify, Assess, Monitor and Report their own risk
• Establish risk policy and framework• Facilitate and monitor implementation of effective risk management practice
• Independent review of control effectiveness
Effective Operational Risk – Reporting Line
Example : Operational Risk – Reporting Line
RMCManagement Committee
Board of Director
New Product & Process Change Committee
������������� ���� RMC ��� ���� ����� ��� ������� �!"���#�� �
������ �������� � ����$��#%�&'(/���� � *�+� ��!����*!����+���� �% ��,� � ��!-�.!� ��� ������� ����� ��# ���/0,(���,� � �*�+��� ���� ��� ������0���� +�� *�+% ���++��� 0���1 ��
ORC
Committee
Key Success Factors for Effective Operational Risk Management
1. Good Governance
Structure
2. Effective ORM Tools
3. End to end risk Management & Integrated Tools
4. Embedding ORM to Day to Day Operation
& Activity
Effective
ORM
Standard Operational Risk Tools
Operational Loss Data Key Risk IndicatorsRisk & Control Self Assessment
• �������'�"��(����$ ��9 1. ��'�7��0+��&����� 2. ����+�"3�-����� 3. !�"��#�����#;�� +D����� #(4. ��(���0�#;�� +D�� �(��"��>
����� !�"��#����*!* • +�"3��#;��'�"�� * � ����(� ��(���0 !�"��#���� & $����� ��'��-� ��
• ��� Indicator �&:;�(� (�"/ !7 �"/ � !�"��#�����)� ���#;* -� LD & RCSA • �9��� Early Warning ���' �7��!���� & �� �
• �����-� �A7+�"3� Loss/Near Miss• ������$ � ORM Co +������!�������� �
Operational Risk Loss Reporting
BU/SU ������ �������������������������������� ��
Action Plan �����*���*
2� ���� ����� ��� ���� � �!"���#�� � ����#3/!�+���(������ �� ����� �������� ��34���+���� � �/�������� *�+� �#/����� �0��
$���� � ������ � � �3�1 �� action plan 0���� +�� $� ���+���� �� � � *�+#��# ��� ���� � �!"���#�� �=
��+,-� *�� Loss /Near Miss 4� ORM Co
BU/SU
Action Plan �����*���*
RMC / Management :����+;����*
���*�����- ��<=� �����
>����:��-� *����=?�@����A��B Capital
33
!�+A��(���� B ��� ������C� Operational Loss Data�-� *�����*�����D�� <���+,@*�E�?������<� ���� �FG?�-� *������ �A�@�� �������*��D leverage A����*����������������-I=@���,���� �� *�������B����*�����@ J����*� exposure ���� M �<
Risk and Control Self Assessment
BU/SU :�� Op Risk Profile
P� �!�+������ ������� �#���� A��� ����� ������ J4������#3/!�+���(������ �� �����+���� ��� ���� ������ *�+� � �3�1 �� action
plan �����!K������� ���������� �# *�+� � �3����/��+����� ������� �L����+���0�������.� $� ���+���� ��+�/ !�+���� �� ������
*�+!�+��0,�% ����� �����/�=
BU/SU
BU/SU :�� Op Risk Profile���� �-��@ ���*�����- �>J��� ���F�����>�;�������,�J*
RMC / Management :����+;����*���*�����- ��<=� �����
�����:��-� *�����*����������*���*@����A��BCapital
34
Key Risk Indicator (KRI)
BU/SU
BU/SU E��E�* KRI S��@���T����� �*�E����FU ��<�*��
KRI DI����<,����A���
2#����M����� ������ �!-����������������� �#��# ��� ������ �� ��0�M��!-� Early Warning Indicator ������ BU/SU � � �3� �� �&(
�#/� �&(�� ���������� �# *�+��� #�� �!K����� ���������#/� �&(�� ���� =
35
��+,-� *�� KRI 4� ORM Co - ��J��S���
BU/SU KRI DI����<,����A���
RMC / Management:���<,���� KRI
�����-� *����=?����� F�<,F�J��S� Capital @����*���*ES
���*����������� ���
�*���EJ: �JB�*,<E�- � KRI ����� �E� ���*��D�<��FGE<���-:��������� ���*����������� ���
Key Success Factors for Effective Operational Risk Management
1. Good Governance
Structure
4. Embedding
2. Effective ORM Tools
3. End to end risk
Management & Integrated
Tools
4. Embedding ORM to Day
to Day Operation &
Activity
Effective
ORM
Having standard operational risk tools, many organizations also still fails with risk identification.
Why???
37
Silo Based – Risk Assessment Approach
• Risk is traditionally assessed via Silo /Department Based
• Business Unit focuses on their own risk profile to manage their own performance , not organization performance
Without considering other
Dept. X
Silo/Department Based
Dept.1
Dept.2
Risk Profile
• Without considering other inter-related functions, risk can not be seen, identified, and properly managed entity-wide
• Resource deployment is for their own dept, not for entity-wide. This result in redundant and not efficiency throughout organization
Dept. 1
Dept. 2Dept. 3
Dept.3
Dept.X
End-to-End Process – Risk Assessment Approach
• In new Era, Risk Assessment evolve in End-to-End Process Based Approach
• Risk Owner identifies and manages risk profile by considering inter-related functions/process. With
Dept. 1
Dept. 2
Dept.1
Dept.2
ProductA
ProductB
ProductC
ProductX
Risk Profile
functions/process. With this way, not only entity performance is focused but also dept and process-wise
• Resource deployment is efficiently used for entity-wide.
Dept. 3
Dept. X
Dept.3
Dept.X
AB CXRisk Profile
Key Success Factors for Effective Operational Risk Management
1. Good Governance
Structure
4. Embedding
2. Effective ORM Tools
3. End to end risk
Management & Integrated
Tools
4. Embedding ORM to Day
to Day Operation &
Activity
Effective
ORM
Embedding Operational Risk into Day to Day Management
1. Product Development /
Change 4. Product
Review
1. Product Development /
Change 5. Product
Review
Product & Process Change Life Cycle
Old Life Cycle New Life Cycle
Change Management
2. Development &
Implementation
3. Product
Launch
Review Change Management
2. Risk
Assessment
3. Development & Implementation
4. Product
Launch
Review
Benefit & Cost Trade - off
Benefit
Cost Risk
Trade - off
New Product and Process Risk Process
New Product Process and Change in Process Verification after Product Launch
Path Identification
Product/ProcessPerformance Review
Risk AssessmentProduct/service/process Design
Development
Minor ChangeRisk Assessment &Mitigation plan
Fast track
Sign : BU/SU Head
Product/Service Development and Readiness Verification
ReadinessVerification
-Establish Project Team-Feasibility Study &
Business Plan & Budget Approved
Final : MC (in Case that Feasibility study has not approved)
Sign : BU/SU Head/Risk Final : RMC in Case of High Risk Level
Sign : BU/SU HeadFinal: NPPRC Comm**
Path Identification
Development
Review
ReadinessVerification
Auditing
Acceptance Certificate
Product/Process Change Proposal Template e.g- Change Summary - E2E Process Change - Impact - Cost Benefit Analysis
Sign : BU/SU Head
Major Change ( Involve NPPRC )
TOOLS
within 1 year after Launch
Risk Assessment & Mitigation plan
Sign : BU/SU HeadRisk Standard Verification : Risk Division
-Mutual Agreement if any, escalate to NPRC - Definition / Criteria
AUTHORIZER
-Feasibility Study & Business Proposition
-Process Verification: BA-Sign : BU/SU Head* Adhoc during the year, business plan & budgeting must be approved according to delegation of authority first
Agenda
• Definition of Operational Risk and Loss Event
• 2017 COSO ERM Updated Framework and Key Changes
• Key Success Factor in Operational Risk Management
• End-to-End Process Approach
Product-wise Risk Profile Methodology
2) Enhancing of E2E Business Process
4) Prioritizing Risk Profile• In-depth risk analysis on high level risk
- Root cause analysis- Mitigation plan proposal
1) Understanding Business Concept• Business model• Product coverage• Operating model
3) Enhancing Product Risk Profile• Dept-wise RCSA change to E2E product wise• Mapping Loss to process• E2E risk and control assessment
Floor Plan Product: Business Model
Motor/+,� -��!�,#
������� ��� ���
� ������������
�������� �����������
“ Without knowing Business Model, Risk Manager can not be able to deeply understand underlining risk”
Dealer
Retail CustomerOther Bank
KK Bank
�����
� ��������
� ������� �
�������
!"�� �� #�$%��������������
� ��������
45
Product Coverage
Product Sub Product Product Manager #Customer
FloorplanLending
- Floorplan
- Term loan- OD/PN/LG
Mr.XXXX 4000
Floor Plan : Operating Model
Overview Front office Supporting Office
Main Processing and Operation
� &�b�����(�0c� (� (��3 �� ����"������ ��7�-��7�����3� (�!-��7-)��!��>� ��79)��'����3
Relate department �d������9:;�/���-f����&��
� !�� ��'���'���"�(�g� ��'�"�������'��� -� �)������� ��(���"-)����
� 7���D+�"3�!������ -� �A7������ (�!-��7��:;��*+���7�� �7�-������3� � 7��9#/!�����
� d��!�� ��'�� � �(�3 �/���- � d��&�/#������9:;�Relate department �d������9:;�/���-f����&�����+��d������/��'7��������������9:;�/���-
Key Main System FP offering sheet, �7�-� )�������, Warning System, Work Flow, FMS, FP Lending, SKS, Cash allocation, G-able, LOA-REG, LOA, FCR, KK teller, ABR
� d��!�� ��'�� � �(�3 �/���-� d����'�"���� ����&����� d�����������9:;���'�9�t:��� d����(���"
� d��&�/#������9:;�� d���?�7�(��������'��g� d���?�7�(�������9:;�� d���?�7�(���9)��'����� d��7��9#
Product-wise Risk Profile Methodology
2) Enhancing of E2E Business Process
4) Prioritizing Risk Profile• In-depth risk analysis on high level risk
- Root cause analysis- Mitigation plan proposal
1) Understanding Business Concept• Business model• Product coverage• Operating model
3) Enhancing Product Risk Profile• Dept-wise RCSA change to E2E product wise• Mapping Loss to process• E2E risk and control assessment
Floor Plan : High level E2E business process
P2 (� (��3 �
P17 ���7����$ ��������#� (�0# ��9)��')
P1 &�b�����(�0c
P4 !�� ��'���'���"�(�g
P5 -� �)������
P3 ��'�"�������'��
d������/����9:;�g d����'�"���� �g
d��!�� ��'�� � �(g
d�������g
*P16 (����7��>��'"3� KK*�0#�7�����3-�����'"3�.3�� KK d������9:;�/���-f����&��-'����3(����7�
d������9:;�/���-f����&��
(�0# ��9)��')
P6 ����"�����
P10 ��7�-�(����7�����3
P13 (�!-��7-)��!��>
P14 ��79)��'����3
P7 ��(���"-)����
P8 7���D+�"3�!����� P9 -� �A7�����
P11 (�!-��7��:;��*+P12 �7�-������3
P15 � 7��9#/!�����
P9
�'7!����������"�(�
��+� d����(���"
d���?�7�(�������9:;�g d���?�7�(��������'��g
d��&�/#��gP16
P17(�0# ��9)��')
(�0#9)��' �7>!�)
Product-wise Risk Profile Methodology
2) Enhancing of E2E Business Process
4) Prioritizing Risk Profile• In-depth risk analysis on high level risk
- Root cause analysis- Mitigation plan proposal
1) Understanding Business Concept• Business model• Product coverage• Operating model
3) Enhancing Product Risk Profile• Dept-wise RCSA change to E2E product wise• Mapping Loss to process• E2E risk and control assessment
Dept wise to E2E process wise
Non-Process RelatedOnly Department Assessment
Integrated E2E Process Risk & Loss Analysis
Mapping risk & Loss by process
Floor Plan : Mapping Loss by process (E2E)
P2 (� (��3 �L (-) NM (-) Non (-)
P17 ���7����$ ��������#� (�0# ��9)��')
L (-) NM (-) Non (9)
P1 &�b�����(�0cL (-) NM (-) Non (-)
P4 !�� ��'���'���"�(�gL (-) NM (-) Non (10)
P5 -� �)������L (1) NM (-) Non (2)
P3 ��'�"�������'��L (-) NM (-) Non (3)
d������/����9:;�g d����'�"���� �g
d��!�� ��'�� � �(g
d�������g
Top Loss Amount1) $Mitsu999 =133M (Mitigated) (P12)2) $���7 (Double Finance)= 11.7M (Mitigated) (P14)
L
Top Frequently 1) #Non �)���������(�!-�> = 67 (P13)
F
*P16 (����7��>��'"3� KKL (-) NM (-) Non (-)
d������9:;�/���-f����&��
Mapping Loss Amount and Frequency
F
18 ������ 59%&$�������������%����� ��� %� ��' � 03/2559
P6 ����"�����L (-) NM (-) Non (-)
P10 ��7�-�(����7�����3L (-) NM (-) Non (1)
P13 (�!-��7-)��!��>L (-) NM (-) Non (68)
P14 ��79)��'����3L (14) NM (48) Non (17)
P7 ��(���"-)����L (1) NM (-) Non (-)
P8 7���D+�"3�!�����L (3) NM (-) Non (3)
P9 -� �A7�����L (-) NM (-) Non (2)
P11 (�!-��7��:;��*+L (-) NM (-) Non (7)
P12 �7�-������3L (7) NM (3) Non (5)
P15 � 7��9#/!�����L (-) NM (-) Non (1)
P9
�'7!����������"�(�
��+� d����(���"
d���?�7�(�������9:;�g d���?�7�(��������'��g
d��&�/#��g
L
1) #Non �)���������(�!-�> = 67 (P13)2) $NM ���7 (Double Finance)= 48
(Mitigated) (P14)3) #Non � �"7��. *"���= 7 (P17)
P15
P16(�0# ��9)��')
(�0#9)��' �7>!�)*�0#�7�����3-�����'"3�.3�� KK d������9:;�/���-f����&��-'����3(����7�
L
F
F
52
Mapping previous RCSA and Loss by process
2. Mapping risk & Loss for accuracy risk level
1. Mapping risk & Loss for unidentified risk
Mapping Loss frequency & impact for accuracy assessment
!�"��#;���#;*"�� ����7��(���0 !�"��#����
No Process Risk Risk EventType
RiskLevel
Current Control #Events in 2015
Total GrossLoss in
2015
ProposedRisk Level
1 P14 � �����$����./
� ��������0��� ������� � Floorplan (Double
Finance)
ET7 M 1. ���������2 ���� ������� ���3���3�/' ���4� #�$%��%5����!6�� 7���3�/�!8��7�9��� ���
2. �$������7�������/��.����� ���� ������� �:��;�7��:������ ����'$�� ����� ���7 �� �
3. ���'� Reconcile �/��.���' �0��� ������� ��$����� Floor Plan #�$
18 1.7M H
������ ��$����� Floor Plan #�$ HP & � �5���4�
Product / Dept/ Process Risk Assessment Perspective
FP01 <��A�@,- J*<E����T�� (CA)
de����T�� >J��� f� �����
FP02 ��������������E���*��*��D������
de���������������E de�Fh�,<E�������T�� >J���
de����F�I�i��j�*�����<kk�
(CA)
FP03 J*<E����T�� FP04 <�E<=������ E�* CA E�*���:���<, J*<E�
FP05 �S���<kk�E�*���� :- CA
FP06 ���������*@�<kk�
Product-wise Risk Profile Methodology
2) Enhancing of E2E Business Process
4) Prioritizing Risk Profile• In-depth risk analysis on high level risk
- Root cause analysis- Mitigation plan proposal
1) Understanding Business Concept• Business model• Product coverage• Operating model
3) Enhancing Product Risk Profile• Dept-wise RCSA change to E2E product wise• Mapping Loss to process• E2E risk and control assessment
Product Wise – Product Risk Profile
R7 (1) A?8)�����+���:�:�+/; (Double Finance)
• *" )����������7�7��#��7�9�t:�� tD;��)���"#�� :����� -� �9�t:���7/�� �� :����7 Dealer
R7 (2) Z��A?��1�7���)�+8���7;)���4����� �3�.
• *"* (�!-��7�� �7)��� �)���'�� 7��. +���3��#��)�����#����/�������:;� �)���'��
�' �7 !�"��#;��
H
Key Risk (RCSA)Key Risk (RCSA)
Res
idual
Risk
Map
M
H
VH
71�?</0
R7(1)R7(3)
H
R7(2)
���/�������:;� �)���'��
R7 (3) ���A?)�3������(�1-�<(�?����/0�)�+8
• *"�?�7�(�(�"�'7!����?�7�(���� �)���/�� ��*""#+�"3�����(�!-��7(�"��:;��*+���7����� tD;��>��--'>3�)�*��9��:�+��
R7 (4) ��?B:��D0�A��/0�C����1������4?B:A?<B�(��
• ��:;��*+�#;�9(�!-��7�3 �*">3(�� �����#;�3 �*"��"��>�9!�����������'"3��>*
Res
idual
Risk
Map
VL M HL VH
VL
L
M
71�?�&*��
MR7(4)
M
���+���:�:�+/; Hire Purchase ��� FloorPlan���+���:�:�+/; Hire Purchase ��� FloorPlan
3�&����:4��/�8����+(&���>
/�� ��*"* )����������7�7��#��>!�� Floorplan �#;-� �9�t:���7/�� �� ������3��#�7��=�� A tD;������ ������������*�����=0' Double Finance ���3��#� -)��!� 56 �� ���"3� � !�"��#���� 35.1 �7.
1�-�6&��-
A?+���:�:�+/;�<1�� FloorPlan �/0-�8�C�@D;����6�7��
Mitsu Motor
TJ�� �� A��S�3 4
Dealer Mitsu
999
#,������ ��
KK���%"���* %��.���!��/0
��������
����#"#"��/0
Dealer �������7���I:��4���/0(�??�
- 9� �-���3�#; Floorplan - Dealer *"* �)�����"�� 9)��' �)���*"��"��>�)�9� �-�-)�����*�- �'�7#�����7�3 � HP * - ��"�'�7#��A*"* >3$��"������"���/��+��/�� ��
HP S��� Dealer
1
2
�E+�������1�7��4+��4�8R71�?�3/0��*�� Silo
Dealer
KK �&?�(1���3�CD0�Floorplan
Motor
��3�CD0�
@D;��<��D0�)�A����
-�����+��� Motor
KK F���S��(���3�CD0�6&��-
����'�"�� !�"��#;�� ���#;��!����"������'� A�+����#;��+��(���� (Silo) -'*"��A� !�"��#;���#;�#;�!��:;���� >�"� 3����=0' End to End -'����A���'� A��#;���� ��9�t:���#;(��-���� Dealer *" !�(��-�� :�$ �(�� (���)�"����7�7��#��7/�� ����
KK �&?�(1���3�CD0��C�@D;��<�(
#,������ ��
Dealer
KK F���S��(���3�CD0�������
-�����+��� Dealer@D;��<��D0�
)�A��C��
��3�CD0�-�(�!����-'��A�!� Dealer "#��#��7/�� ������+�����9:;� Floorplan �&:;�t:���>"�+�� �(�":;� Dealer +���>�#;3!����� Floorplan �7/�� ��* $ ��3 �"�+�����9:;��9�t:���7/�� �� /�� �� !��#;-'�)������#;�3 �"�-� �9�t:�����7�7��#��7 ����9:;� Floorplan +��Dealer *" !�-�� :����7 Dealer
Recovery
Net Loss
No. of Event420.2
Role of Risk Management to Bank Performance
“ Risk Management is the process of identifying, analyzing and responding to risk factors throughout the life of a project and in the best interests of its objectives. Proper risk management implies control of possible future events and is proactive rather than reactive.”
Decreasing Trend of Operational Loss over 6 years
2,247
KK OpLoss vs. Capital
Gross Loss
23.1
252.4
15.2 8.6
44.5 9.1
586 620
536
413
267 194
Y2012 Y2013 Y2014 Y2015 Y2016 Y2017
No. of Event
49.6
420.2
95.4
20.4 34.5 9.9 49.6
420.2
20.4 34.5 95.4 9.9
Y2012 Y2013 Y2014 Y2015 Y2016 Y2017
1,0551,186
1,6171,748
2,1422,247
4.7%35.4%
1.3% 2.0% 4.5% 0.4%
Capital
OpLossNet Loss
Net Profit
Role of Risk Management to Bank Performance
Unit: MB
* Estimate 12-Month Net Profit & OpLoss
Net Profitvs.OpLoss
Gap
Net Profitvs.OpLoss
Gap
Gap
Appendix
Cyber Attack: 12� %���3��"��4/������.�5 ���%��"�'���!4�4�
• 7����)��/(8(�@D;�37�-��IB�3/�+�� 28����:��/0��EC/ *:4+���(���4-)�(�1��4C�C
1. 7����:�?3)�����(���4C�C 28��C16/��� “��+�7���” 31?���:�A� *:1<��3)�����(���4C�C�����3���=;?��+? 28��:���4-)�(�1��4C�C 13 +:�������IB�3/�+��*:4)�A���@?���8�+?�����8?
2. 7���2��O���A�����:/0��+�3I������)�6&����?��A: -3�?��<<���A�A8��/03&8
• 7�����O��C��1������(�1-3����?B:�����;�IB�+�����2��O���*:4���6�7�� ���������@?�+? *:4��:/0��+�3I� -�)��+3�?��<2������-����EC/A8��;�+?8
��������71�?�3/�+��
�&77:��01A�:71��4?�8�41�������8�I���?B:3)�����(���4C�C+�D���?B:31(�1�D0� �C �/0��B 1��8D����8 �D0��-����-<B��C����31?����2?���?B:+�D��2?������-����EC/A8
IB�+�����:IB�+�����2��O���?D�<D�*:4IB�+�����6�7����A:71�(��?/?�(����(�1-3���/0��8�&?�=;��D0������A?�+��871�?�3/�+��:��W>4/;�/����7(
Royal Bank of Scotland: IT Failures
• In June 2012, a failed software error left some customers unable to access their accounts for days, and cost RBS Group £175 million in compensation. A software update was applied on 19th June 2012 to RBS's batch software which controls its payment processing system. It later emerged that the update was corrupted by RBS technical staff. Customers' wages, payments and other transactions were disrupted. Some customers were unable to withdraw cash using ATMs or to see bank account details. Others faced fines for late payment of bills because the RBS system could not process direct debits.
System Error: �������!""#��
• /�� ��-'"#�'77����#;-� ����:;����$��-��>��d��'�!��7��9#�#;��#�!� Core Banking ��'"#�'77����(�'�!��9� �'77�����+� �'77������#��A" �'77/�� �����*�� �'77/�� �����":�>:� tD;�"��9:;�"(��&:;���+�"3��+�"���� core banking �#�#��D;� ���'77��� ��� ����D;� �9� ATM �9��*"* �!�����'77��� :� Core Banking A����9��* ��3• ���0#�#��":;��'77 Core Banking �" -D��������'77�����" �9���*"* tD;�����(���$������+�"/�� ��"�-�/�� ���:;� !� �":;� )���;����)�/����"+���3 �/�� ���:;� ����3���'77 �������'77*��#+��/�� ���:;�$�� ����9��� >D��"�'77*"�"(�"*� !��(A��-�'�7(����9���+���3 ����� !�"��A! ����(�7����/����"��37��• ����(�+���'77/�� ���" � !��� -� !�"(�����)�/����"�#;�&�;"+D���3�"� $ ��%&�'9!������ :��-��'77�����7*"*�! ���#;�'77/�� ���"9!������ :�� �����(���0�#;�� (� (�������� :����'*"* �� �7/�� ���&#������ #�! /�� ���������:;�� A�� ������=0'�#�"���!�9���