leading the risk profession operational risk & business ... · pdf fileoperational risk...
TRANSCRIPT
Operational Risk & Business Continuity
Management - An Effective And Integrated
Approach
Chris Lintern
Co-operative Financial Services
Leading the risk profession
Introduction & Approach
Chris Lintern
• Background in all aspects of Business Continuity Management within
Financial Services
• Part of central Operational Risk Management Team
Co-operative Financial Services
• Includes Co-operative Bank, Co-operative Insurance, Co-operative
Investments
• Merged last year with Britannia Building Society
• Our vision is to be the UK’s most admired financial services business
Approach to this session
• Active participation
• All views welcome and appreciated
Purpose
• To share thoughts on the benefits of integrating Operational
Risk & Business Continuity
• Consider some of the key stakeholders, and the aims, and
components for Operational Risk and Business Continuity
frameworks
• Conclusions
What is Operational Risk Management?
Managing the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events
(Basel Committee of the Bank of International Settlements)
What is Business Continuity?
A holistic management process that identifies potential threats to an
organisation and the impacts to business operations that those
threats, if realised, might cause and which provides a framework for
building organisational resilience with the capability for an effective
response that safeguards the interests of its key stakeholders
reputation, brand and value creating activities (BS25999 – British
Standard for BCM)
Back to Basics
Preventing nasty surprises wherever practical, and having the confidence that your organisation can respond to and mitigate them - if and when they occur
Health
&
Safety
Key
Suppliers /
Outsource
Partners
System
failures
Property &
Facilities
Key person
dependenciesExternal threats
Historic Positioning of Op Risk & BCM
• Focus on “traditional” business continuity – denial of access to premises, or loss of systems
• BCM and Operational Risk seen as separate entities
BCMOperational
Risk
Synergies between the two
Stakeholders Framework
Components
Intended
Outcome
Board Policy &
Procedures
Understanding
of appetite
Executive & Senior
Management
Supporting
documents
Proactive
assessment
Operational
Management
Plans & Training Understanding
of impact
Other Considerations
Impact on Capital Impact on Change Insurance
Operational Risk – Integrated Approach
Operational
Risk
Busi
ness
Cont
inuit
y
Insu
ranc
e
Operat
ional
Risk
Capital
Contro
l Self-
Asses
sment
Operational Risk – Integrated Approach
Operational
Risk
Busi
ness
Cont
inuit
y
Insu
ranc
e
Operat
ional
Risk
Capital
Proactive identification of risks
• Assessment and evaluation
• Scenario analysis
Contro
l Self-
Asses
sment
Operational Risk – Integrated Approach
Operational
Risk
Busi
ness
Cont
inuit
y
Insu
ranc
e
Operat
ional
Risk
Capital
Contro
l Self-
Asses
sment
Assess controls
• CSA process
• Review control weaknesses
• Track actions
• Link control evidence to risks
• Review incidents as evidence of control failures
Operational Risk – Integrated Approach
Operational
Risk
Busi
ness
Cont
inuit
y
Insu
ranc
e
Operat
ional
Risk
Capital
Contro
l Self-
Asses
sment
Mitigation of operational risks
• Crisis Management Team & Plan
• Incident Management Teams
• Crisis Management Centre
• Work-Area Recovery
• Disaster Recovery strategy
Operational Risk – Integrated Approach
Operational
Risk
Busi
ness
Cont
inuit
y
Insu
ranc
e
Operat
ional
Risk
Capital
Contro
l Self-
Asses
sment
Risk transfer
• Placement
• Claims Handling
• Specific perils e.g. Buildings/Contents, Business
Interruption Insurance
• Advice & Guidance
Operational Risk – Integrated Approach
Operational
Risk
Busi
ness
Cont
inuit
y
Insu
ranc
e
Operat
ional
Risk
Capital
Contro
l Self-
Asses
sment
Capital against unexpected losses
• Calculation
• Planning
Operational Risk Components
Purpose
Vision
3 Year Strategic
PlanStrategy
Core
Processes
Critical
SystemsColleagues
External Events
e.g. Weather,
Terrorism
Change agenda
Bottom-up
Operational Risk
Profile
Scenarios
Top-down
Operational Risk
Profile
Facilities
Operational
Risk Capital
Operational
Risk Appetite
Business Continuity
Incident & Near-
Miss Reporting
Resilience
Work-Area
Recovery
Disaster
Recovery
Incident &
Crisis
Management
Insurance
Programme
Operational Risk strategy and plan
ReportingSuppliers &
Outsource
Partners
Operational Risk
End-to-end
Process view
Key Controls
Control Self-
Assessment
Policies
Claims
Operational Risk Components
Purpose
Vision
3 Year Strategic
PlanStrategy
Core
Processes
Critical
SystemsColleagues
External Events
e.g. Weather,
Terrorism
Change agenda
Bottom-up
Operational Risk
Profile
Scenarios
Top-down
Operational Risk
Profile
Facilities
Operational
Risk Capital
Operational
Risk Appetite
Business Continuity
Incident & Near-
Miss Reporting
Resilience
Work-Area
Recovery
Disaster
Recovery
Incident &
Crisis
Management
Insurance
Programme
Operational Risk strategy and plan
ReportingSuppliers &
Outsource
Partners
Operational Risk
End-to-end
Process view
Key Controls
Control Self-
Assessment
Policies
Claims
Embedding the Culture
• Business buy-in of paramount importance
• Incident Management framework known and utilised –
importance of exercising
• Risk Division seen as involved – not sat in Ivory Towers
• Part of the solution, not part of the problem - BC & Op Risk
representatives heavily involved in Incident Management
• Keep things simple – common language
• Linked to the CFS customer promise
Incident Framework
Crisis
Management
Team
Incident Management
Teams
IS Service
Continuity
Business units / areas
BC plan owners and Plan co-ordinators
Escalate
up
Cascade
down
Operational Risk
(incl. BCM)
Incident Management Team - StructurePeople
Co-ordinator
IS
Co-ordinator
Information
Co-ordinator
Comms
Co-ordinator
Business
Operations
Co-ordinator
Incident
Management
Team Leader
Site Facilities
& Security
Integrated Approach
Operational
RiskBCM
Key risks mitigated
Tangible exercising
Incident
Management
CapabilityRisk
Assessments
Stress scenarios
Issues raised as
risks
Conclusions
• An effective, and consistent framework
• Can be used to define overall risk appetite at Board level
• Practical considerations – both areas need policies &
procedures
• Simple for the business
• Aligned to business processes
• Crucial that it’s accepted from a cultural perspective within the
newly merged organisation
• Potential to drive efficiencies and cost-savings