operational risk & business continuity management
DESCRIPTION
TRANSCRIPT
Operational Risk & Business ContinuityManagement - An Effective And Integrated Approach
Chris LinternCo-operative Financial Services
Leading the risk profession
Introduction & Approach
Chris Lintern• Background in all aspects of Business Continuity Management
within Financial Services• Part of central Operational Risk Management TeamCo-operative Financial Services• Includes Co-operative Bank, Co-operative Insurance, Co-
operative Investments• Merged last year with Britannia Building Society • Our vision is to be the UK’s most admired financial services
businessApproach to this session• Active participation• All views welcome and appreciated
Purpose
• To share thoughts on the benefits of integrating Operational Risk & Business Continuity
• Consider some of the key stakeholders, and the aims, and components for Operational Risk and Business Continuity frameworks
• Conclusions
What is Operational Risk Management?Managing the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events (Basel Committee of the Bank of International Settlements)
What is Business Continuity?A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders reputation, brand and value creating activities (BS25999 – British Standard for BCM)
Back to Basics
Preventing nasty surprises wherever practical, and having the confidence that your organisation can respond to and mitigate them - if and when they occur
Health &
Safety
Key Suppliers
/ Outsourc
e Partners
System failures
Property &
Facilities
Key person dependencies
External threats
Historic Positioning of Op Risk & BCM
• Focus on “traditional” business continuity – denial of access to premises, or loss of systems• BCM and Operational Risk seen as separate entities
BCMOperation
al Risk
Synergies between the twoStakeholders Framework
ComponentsIntended Outcome
Board Policy & Procedures
Understanding of appetite
Executive & Senior Management
Supporting documents
Proactive assessment
Operational Management
Plans & Training Understanding of impact
Other Considerations
Impact on Capital Impact on Change Insurance
Operational Risk – Integrated Approach
Operational Risk
Business Continuity
InsuranceOperational Risk Capital
Control Self-Assessment
Operational Risk – Integrated Approach
Operational Risk
Business Continuity
InsuranceOperational Risk Capital
Proactive identification of risks• Assessment and evaluation • Scenario analysis
Control Self-Assessment
Operational Risk – Integrated Approach
Operational Risk
Business Continuity
InsuranceOperational Risk Capital
Control Self-Assessment
Assess controls• CSA process• Review control weaknesses• Track actions• Link control evidence to risks• Review incidents as evidence of control failures
Operational Risk – Integrated Approach
Operational Risk
Business Continuity
InsuranceOperational Risk Capital
Control Self-Assessment
Mitigation of operational risks• Crisis Management Team & Plan• Incident Management Teams• Crisis Management Centre• Work-Area Recovery• Disaster Recovery strategy
Operational Risk – Integrated Approach
Operational Risk
Business Continuity
InsuranceOperational Risk Capital
Control Self-Assessment
Risk transfer• Placement• Claims Handling• Specific perils e.g. Buildings/Contents, Business Interruption Insurance
• Advice & Guidance
Operational Risk – Integrated Approach
Operational Risk
Business Continuity
InsuranceOperational Risk Capital
Control Self-Assessment
Capital against unexpected losses• Calculation• Planning
Operational Risk Components
Purpose
Vision
3 Year Strategic Plan
Strategy
Core Processes
Critical Systems
Colleagues
External Eventse.g. Weather,
Terrorism
Change agenda
Bottom-up Operational Risk
Profile
Scenarios
Top-down Operational Risk
Profile
Facilities
Operational Risk Capital
Operational Risk Appetite
Business Continuity
Incident & Near-Miss Reporting
Resilience
Work-Area Recovery
Disaster Recovery
Incident & Crisis
Management
Insurance Programme
Operational Risk strategy and plan
ReportingSuppliers & Outsource Partners
Operational Risk
End-to-end Process view
Key Controls
Control Self-Assessment
Policies
Claims
Operational Risk Components
Purpose
Vision
3 Year Strategic Plan
Strategy
Core Processes
Critical Systems
Colleagues
External Eventse.g. Weather,
Terrorism
Change agenda
Bottom-up Operational Risk
Profile
Scenarios
Top-down Operational Risk
Profile
Facilities
Operational Risk Capital
Operational Risk Appetite
Business Continuity
Incident & Near-Miss Reporting
Resilience
Work-Area Recovery
Disaster Recovery
Incident & Crisis
Management
Insurance Programme
Operational Risk strategy and plan
ReportingSuppliers & Outsource Partners
Operational Risk
End-to-end Process view
Key Controls
Control Self-Assessment
Policies
Claims
Embedding the Culture
• Business buy-in of paramount importance• Incident Management framework known and utilised –
importance of exercising• Risk Division seen as involved – not sat in Ivory Towers• Part of the solution, not part of the problem - BC & Op
Risk representatives heavily involved in Incident Management
• Keep things simple – common language• Linked to the CFS customer promise
Incident Framework
Crisis
Management
Team
Incident Management Teams
IS Service Continuity
Business units / areas
BC plan owners and Plan co-ordinators
Escalate up
Cascade down
Operational Risk (incl. BCM)
Incident Management Team - Structure
People Co-ordinator
IS Co-ordinator
Information Co-ordinator
CommsCo-ordinator
Business Operations
Co-ordinator
Incident ManagementTeam Leader
Site Facilities & Security
Integrated Approach
Operational Risk
BCM
Key risks mitigated
Tangible exercising
Incident Management
CapabilityRisk
Assessments
Stress scenarios
Issues raised as risks
Conclusions
• An effective, and consistent framework• Can be used to define overall risk appetite at Board
level• Practical considerations – both areas need policies &
procedures• Simple for the business• Aligned to business processes• Crucial that it’s accepted from a cultural perspective
within the newly merged organisation • Potential to drive efficiencies and cost-savings
