Operational Risk Questionnaire

A Framework for Operational Risk Management

2

Broad Street Banking I Operational Risk Questionnaire

Background on Operational Risk

• New Basel capital requirements are based upon market, credit, and operational risk.

• The New Basel Capital Accord defines operational risk as:

“The risk loss resulting from inadequate or failed processes, people and systems or from external events”

• Market and credit risk both have well-understood market conventions, and are readily quantifiable. Operational risk management is at an earlier stage, and no market consensus on measurement and approach has yet formed.

• Best practices and industry trends are moving toward more active means of defining, measuring, monitoring, and mitigating operational risks.

3

Broad Street Banking I Operational Risk Questionnaire

BSB Questionnaire Framework

BSB proposes the following risk categories to establish what risks exist, and how management is or could be controlling risk:

• External Catastrophe

• Service Provider Failure

• Regulatory

• Fraud, Theft, and Vandalism

• Compliance with Policies, Procedures

and Practices

• Customer Relationships

• Key Control Effectiveness

• Compliance with Commercial Contracts

• People Management

• Information Risk

• IT Security

4

Broad Street Banking I Operational Risk Questionnaire

BSB Approach – Risk IdentificationEach risk category is intended to elicit risk information from a specific perspective

• External Catastrophe - The risk that an external event would disrupt the ability of staff to access office locations or perform normally required tasks. These are risks that you can plan against but cannot prevent.

• Service Provider Failure - The risk that a service providers failure to deliver expected services would hinder or prevent normal business activity. The risks in this category are those where there is excessive reliance upon an external or internal service provider or outsourced function, or where contingency plans do not exist or are inadequate. The principal risk in this category is that you will be unable to continue business, or will suffer significant deficiencies, due to failures or inadequacies in service provider delivery or outsourced functions.

• Regulatory - The risk that your activities will fail to comply with regulatory requirements and restrictions. The risks in this category are those where regulatory non-compliance results in regulator response, up to and including a cease-and-desist order.

• Fraud, Theft, and Vandalism - The risk to you of an internal or external party committing fraud, theft, or vandalism, damaging BSB or its clients monetarily or in image.

• Compliance with Policies, Procedures, and Practices - The risk that you will fail to comply with internal policies, procedures, and practices, as well as industry best practices and ethical business practices. To not be in compliance with these practices would be to suggest that you are not managing its business and risks according to market standards.

• Customer Relationships - The risk that you will fail in the management of customer relationships and in delivery of services to customers, causing monetary and reputational damages. The risks in this category are those that affect your market share, reputation, and profitability.

5

Broad Street Banking I Operational Risk Questionnaire

BSB Approach – Risk Identification

• Key Control Effectiveness - The risk that operational control points will fail to function as intended, putting you at risk of significant monetary losses, regulatory action, and reputational damage. The risks of ineffective controls are widespread, and affect many areas with a wide range of monetary, reputational, and regulatory implications. The risk that you will have poorly structured behavioral and physical limits, or that those limits might be unenforced or circumvented. The risk in this category is also of control and efficiency, which would affect risk and control.

• Compliance with Commercial Contracts - The risk that you will fail to comply with, or implement properly, commercial contracts, with potential monetary damage, legal exposure, and reputational damage. The risks in this category are those which affect the legal relationships between you and clients / counterparties. Incidents of this type could affect relationships, cause legal action, and adversely impact future ability to do business with the client / counterparty.

• People Management - The risk that you will fail to attract, manage, develop, and retain employees with the appropriate skills. The risk in this category is that you will, over the long-term, fail to stay competitive and fail to have employees with the skills and training to engage in business in a prudent, well-controlled fashion. The risk that you will fail to organize its business in an appropriate way, resulting in an inefficient and operationally risky business structure. The risk in this category is largely of control and efficiency, which would affect long-term business risk, profitability, and competitiveness. The risk that you will choose inefficient or inappropriate measures of staff or business performance.

• Information Risk - The risk that you might manage your business or generate reporting based upon incomplete, inaccurate or inappropriate information. The risk that you might manage its business or generate reporting based upon incomplete, inaccurate or inappropriate information. The risk that you might manage its business or generate reporting based upon incomplete, inaccurate or inappropriate information, as well as the risk that BSB will not be able to access archived information.

• Infrastructure Security (IT View) - The risk that your IT security structure will fail to perform as intended, allowing unauthorized access and data damage or loss.

6

Broad Street Banking I Operational Risk Questionnaire

BSB Risk Categories

Category Sub-category or line of questioning1 External Catastrophe External Catastrophe 2 Service Provider Failure External Service Provider Failure

Outsourced Functions Availability and Continuity of Systems (User View)

3 Regulatory Regulatory Reports

4 Fraud External Fraud Internal Fraud

5 Compliance with Policies, Procedures, and Practices Compliance with Policies, Procedures, and Practices Compliance with Practices and Rules Improper Practices

6 Customer Relationships Customer Risk Management Customer Satisfaction

7 Key Control Effectiveness Key Control Effectiveness Empowerment and Authorization

8 Compliance with Commercial Contracts

Compliance with Commercial Contracts

9 HR Management Human Resources Management Role Definition Performance Measurement

10 Information Information Integrity Information's Nature Information Use

11 IT Security Infrastructure Security (IT View)

The original 23 risk categories have been merged into 11, eliminating 12 descriptive answers and approximately 10 more repetitive lines of questioning.

7

Broad Street Banking I Operational Risk Questionnaire

BSB Risk ClassificationFor each risk category, the questionnaire will have one or several scenarios or risks. For each of these scenarios or risks, the following questions need to be answered:

Risk Severity

• What would be the impact on P/L?

• What would be the effect on customers and on your image?

• What is the frequency of this type of event or loss?

• What would be a typical loss from an incident of this type?

Management’s Ability to Control

•How aware and involved is management in managing this risk? (Responsibilities defined, resources allocated, etc.)

•What is your assessment of the effectiveness and efficiency of the internal control system?

•Which of the following exist to address this type of operational risk?

Policies, procedures, formal organization, formal limits, risk control system, monitoring system, regular or periodic reporting, management review

•Is data regarding this type of event or loss known, reported, and stored?

8

Broad Street Banking I Operational Risk Questionnaire

Risk Scenarios

Answer Area

General Questions

9

Broad Street Banking I Operational Risk Questionnaire

Questionnaire FunctionThe questionnaire consists of approximately 100 risk scenarios, with 8 general questions to answer for each

7 of the 8 questions are multiple choice, and have drop-down selection boxes to simplify the process for the user

1 of the questions asks about the existence of certain risk management tools. In the answer space for this question are checkboxes, with a check signifying yes and an empty checkbox signifying no.

Each of the 23 risk categories has one answer space for a text description of the risk situation, particularly significant risks or scenarios, and additional comments.

10

Broad Street Banking I Operational Risk Questionnaire

Questionnaire Output

• BSB has taken the approach that operational risk is best viewed in the context of a four-sectored grid.

• Highlighting high impact risks with a high degree of controllability gives BSB a starting point to reduce risk.

Low Impact / Low Impact / High AbilityHigh Ability

High Impact / High Impact / Low AbilityLow Ability

Low Impact / Low Ability

High Impact / High Ability

Ability to Control Risk

Imp

act of Risk

11

Broad Street Banking I Operational Risk Questionnaire

Answer Scoring

By employing a scoring methodology, the answers on the questionnaire can be used to plot the risks of a business area by type.

• External Service External Service Provider Failure Provider Failure

• External FraudExternal Fraud

• RegulatoryRegulatory

• Compliance with Policies, Compliance with Policies, Procedures, and Practices Procedures, and Practices

• Key Control Key Control Effectiveness Effectiveness

• Customer Customer Risk Management Risk Management

• External CatastropheExternal Catastrophe

Ability to Control Risk

Imp

act of Risk

12

Broad Street Banking I Operational Risk Questionnaire

Contact Us

David E. Fisher

203.434.7545

davidefisher@broadstbanking.com

Maurice A. Krisel

203.331.5644

mauriceakrisel@broadstbanking.com