operational risk management - a gateway to managing the risk profile of your organization (july...
TRANSCRIPT
![Page 1: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/1.jpg)
Operational Risk Management
A GATEWAY TO MANAGING THE RISK PROFILE OF YOUR ORGANIZATION
Eneni Oduwole, July 2015
![Page 2: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/2.jpg)
2
Content1. Definitions of Operational Risk & Operational Risk Management
2. Elements of ORM
3. ORM Procedures
4. ORM Tools
5. Benefits of ORM
![Page 3: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/3.jpg)
3
DEFINITIONSBRIEF INTRODUCTION TO THE SUBJECT, ITS
CORE PRINCIPLES AND FRAMEWORK
![Page 4: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/4.jpg)
4
What is Operational Risk? Commonly defined as the ‘risk of loss resulting from failed or inadequate processes, people, systems or from external events’.
It is not a control function
It involves interfacing with all departments and business units within an organization to ensure that primary risks regarding people, process, systems and external issues
![Page 5: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/5.jpg)
5
What is Operational Risk Management (ORM)?
Commonly defined as the ‘continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk’ (see Wikipedia)
Operational risk management had been defined in the past as all risk that is not captured in market and credit risk management programs. Early operational risk programs, therefore, took the view that if it was not market risk, and it was not credit risk, then it was operational risk (GARP)
ORM is the discipline in an organization that manages the loss or risk of loss resulting from improper or non-management of people, process, system and externally triggered issues
![Page 6: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/6.jpg)
6
Core Principles of ORM Accept risk only when benefits are greater than risk of loss or cost of control
Do not accept unnecessary risk; transfer or share where necessary
Anticipate and manage risk by effectively planning and monitoring
Ensure that risk decisions are made at the right level and executed organization-wide
Transparency of Risk is critical
![Page 7: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/7.jpg)
7
The ORM Framework
As depicted by The Risk Mgt Association (RMA)
i. Management driven
ii. Provides consistent policies and procedures to be applied firm-wide
iii. Must have a consistent and comprehensive capture of data elements
iv. Must reflect the scope and complexity of all business activities
v. Be ‘fit-for-purpose’, unique and require a tailored approach that is appropriate for the scale and materiality of the size and risks prevalent in the institution
![Page 8: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/8.jpg)
Governance Structure
8
• Risk appetite and toleranceBoard
• Ownership and accountabilityProcess Owners (All Staff)
• Business requirementMgt Staff / Dept Heads /
Line Managers
• OR Risk standards and benchmarksERM / ORM
• Independent reviewInternal Audit
![Page 9: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/9.jpg)
9
ELEMENTS OF ORMHIGHLIGHTS ON THE COMPONENTS OF ORM
WITH RELEVANT EXAMPLES
![Page 10: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/10.jpg)
10
Components of ORMPeople Risks• Loss of Key Staff• Employment Laws• Occupational Health &
Safety• Adequate Training and
Skills Nurturing• Employee collusion/fraud
Process Risks• Input Errors• Non-adherence to
policies & procedures• Reporting errors• Product/Process
complexity• Project Risk
System Risks• IT Security breaches• System Capacity• Data Availability• System Suitability• IT General Controls• Programming errors• Data Integrity
External Risks• Business Continuity Mgt • Regulatory Compliance• Supplier Risk Mgt• Security Risk• Impact of macro-
economic trends• Vendor Relationship Mgt
![Page 11: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/11.jpg)
11
People Risk Issues Quality of Recruits
Sourcing and Selection strategy
Retention strategy for top-talents
Strategy for training; Acculturation of staff
Monitoring Attrition Rate and Concentrations
Managing Staff Motivation
![Page 12: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/12.jpg)
12
Process Issues Effectiveness of process designs – simple or
complex; flexible or rigid
Manual vs. Automated processes; Cost effectiveness of process controls
Performance gradient monitoring
Adequacy of embedded controls; Execution of controls
Vendor Management
![Page 13: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/13.jpg)
13
System Issues Availability of core applications or systems
Network intrusion; Virus Attack
Denial of service
Data corruption or Sabotage
Unauthorised Access to Information
System Penetration Issues
www.computerweekly.com
![Page 14: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/14.jpg)
14
External Events Adherence to Regulatory Stipulations
Compliance & Legal Risk Management
Business Continuity Management
Shift in Industry trends; Global trends
Macro-economic conditions
Available Infrastructure
![Page 15: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/15.jpg)
15
ORM PROCEDURESPROCESSES, PROCESS FLOW, MEASUREMENT
PARAMETERS
![Page 16: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/16.jpg)
16
Processes of ORM
OPERATIONAL RISK GOVERNANCE & MANAGEMENT
1. Fraud Risk Mgt2. Information Risk Mgt3. Business Continuity Mgt4. Occupational Health &
Safety Mgt5. IT Risk Assurance
1. OR Policies & Procedures
2. Risk Assessments3. Loss Incident Reporting4. Key Risk Indicator
Monitoring
1. Compliance & Legal Risk Mgt
2. Audit Non-conformance Monitoring
3. Third Party Relationship Mgt
![Page 17: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/17.jpg)
17
Conduct RCSAs; Compile KRIs and Loss Incident
reports
RCSA Events; KRI Trends;
Loss Data Risk Concentrations
Suggest required controls; Ensure cost effectiveness
and appropriateness
Report identified risks to key stakeholders; Ensure suggested mitigants are
fully implemented
RiskControl
RiskIdentification
RiskMeasurement
Probability & Severity Assessments;Overall Risk Ratings, Risk Concentration and Prioritization
OpRisk Process Flow
Risk Assessment
Risk Monitoring
![Page 18: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/18.jpg)
18
Measurement Parameters Impact:
Also known as Severity Refers to actual or estimated loss to the organization in terms of financial losses or reputational damage
Probability: Also referred to as Likelihood of occurrence Used to measure the estimated frequency of an event
Both types can be measured in either
Qualitative or Quantitative terms
![Page 19: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/19.jpg)
19
Probability or Likelihood
Likelihood Rating Criteria
Almost certain 5 It is expected to happen; will certainly happen this fiscal year or during the three year period of the Service Plan
Likely 4 We expect it to happen; it would be surprising if this did not happen.
Possible 3 Just as likely to happen as not; we don't expect it to happen, but there is a chance
Unlikely 2 Not anticipated; we won't worry about it happening
Rare 1 It would be surprising if this happened; there would have to be a combination of unlikely events for it to happen
![Page 20: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/20.jpg)
20
Impact
Impact Rating Criteria / Examples
Catastrophic 5 No recovery of outstanding debt in full; Irreparable damage to DIL's credibility or integrity
Major 4Event that requires a major realignment of how service is delivered; Significant event that has a long recovery period; Failure to deliver major stakeholder or investors commitment
Moderate 3 Less vulnerable in the near term but faces major ongoing uncertainties to adverse business, financial and economic conditions
Minor 2Strong capacity to meet financial commitments but more subject to adverse economic conditions; Can be dealt with at a department level but requires Executive notification
Insignificant 1Minimal financial losses; Can be dealt with internally; No escalation of the issue required; No media attention; No or manageable stakeholder or client interest
![Page 21: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/21.jpg)
21
OpRisk Loss Types Actual losses:
Values related to losses already expensed by the organisation
Potential losses:
Values related to incidents that are yet to be determined, usually as it relates to incidents under investigation or for which the customer is liable
Prevented losses:
Values related to incidents that were frustrated because of the effectiveness of the organisation’s control mechanism
![Page 22: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/22.jpg)
22
ORM TOOLSBRIEF INTRODUCTION ON RCSA, KRI AND
LOSS INCIDENT REPORTING
![Page 23: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/23.jpg)
23
Tools of ORM
![Page 24: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/24.jpg)
24
Risk & Control Self Assessment (RCSA):
A simple process that captures prevalent and likely risks in a business function and suggests required controls
It is a participative process that relies on inputs from everyone involved in running the business or managing relevant processes
It is a qualitative exercise that should be carried out at least on a quarterly basis
![Page 25: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/25.jpg)
25
Risk & Control Self Assessment (RCSA): It should provide answers to the following questions:
What can go wrong? How can it go wrong?
What is the likelihood of it going wrong?
What is the potential damage?
What can be done about it?
Who will do it?
Risk Factors
Likelihood
Impact
Controls
Responsibility
![Page 26: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/26.jpg)
RCSA Sample Template
26
![Page 27: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/27.jpg)
27
Loss Incident Reporting • Involves the Process of collating data resulting from operational risk events relating to
people, process, system and external events risks
• Assists with identifying trends
• Ensures cost-effective controls are deployed to mitigate likely risks
• Enables determination of risk concentration
Loss data includes: – Actual losses– Near misses (potential and prevented losses)
![Page 28: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/28.jpg)
Sample of Loss Incident Form
28
![Page 29: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/29.jpg)
29
Key Risk Indicator (KRI) Monitoring• KRIs are quantitative parameters used to identify changes in the risk profile of business
activities and processes
• Close monitoring enables the following:– Clear understanding of how risk profiles change– Determination of volatility of risks across the business environment– A forward looking perspective on current risk profile– Understanding of early warning signals for emerging risks
![Page 30: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/30.jpg)
30
Sample of KRI Dashboard
![Page 31: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/31.jpg)
31
BENEFITS OF ORMREASONS FOR INVESTING IN ORM
![Page 32: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/32.jpg)
32
Values of ORM
Improved quality
Cost savings
Stability of earnings; Reduced Volatility
Enhanced competitive position of the organization
Operational efficiency
Assured long-term survival
Compliance with best global practices
Enhanced Shareholder Value
Risk Reward
![Page 33: Operational Risk Management - A Gateway to managing the risk profile of your organization (july 2015)](https://reader035.vdocuments.mx/reader035/viewer/2022062320/55c1fd51bb61eb675f8b4800/html5/thumbnails/33.jpg)
ORM is Simply Good Business
33
Good Operational Risk Management
Fewer Surprises
Increased Shareholder Value