Operational RiskRisk Appetite & Operational Excellence

Catherine van Doorslaer

Operational Risk Manager at ING Belgium

• 1990-1996: – University degrees (Namur, Leuven, Louvain-la-

Neuve) in Economics and International Politics

• 1997- 2000: Banca Monte Paschi Belgio• 2000-2003: ING Credit Risk Analyst• 2003-2014: ING Operational Risk Manager

– Set up of ORM framework within ING Belgium

– Team Manager for ORMers (Business Advisory)

– Scenario Analysis and Risk Assessment

– Entreprise Risk Management

Catherine van Doorslaer – Short Bio

2

• ING Belgium in 2 slides• Operational Risk – A young discipline with a lot of

dilemmas– Risk Cartography : Risk & Event dilemma

– Completeness : The pixel dilemma

– Risk Appetite

• Operational Risk vs Operational Excellence• Operational Risk – Sharing some trends

– Image & Social media

– Controls & Communication

– Cybercrime• Need for some “industry approach”

– Physical security – The next challenge?

Agenda

3

5

Online channels made easier

Home’Bank: new accounts overview

Mobile: ordering ING Visa Classic with ‘MyING.be’Tablet: launch of ‘Smart Banking’

Home’Bank Plus: sign a business credit online

ORM – a young discipline

6

Risks of a bankCreditRisk

CreditRisk

MarketRisk

« Operational risks »

CreditRisk

MarketRisk

CreditRisk

MarketRisk

Operat. Risk

Residual risk

Basel 1 (1988) Basel 1 (1995)

Basel 2 (2004)

7

Basel II

• Context– The increased competitive environment has pushed the various

industries to venture into new markets and new products which has increased the complexity of their operations and consequently their risk profile. A deeper analysis of all risks is a necessity. Adequate management and supervision of operational risks is one of the big challenge within the banking industry.

– 9/11 has put increased focus on Financial Economic Crime (FEC) a.o. terrorism financing (Compliance)

– Financial crisis has put the focus on operational risks with an increased attention to fraud related risks

• Definition of Operational Risk– The Basel Committee defined operational risk as “the risk of loss

resulting from inadequate or failed internal processes, people and systems, or from external events”.The definition includes legal risk but excludes strategic and reputational risk. The nevertheless, the latest is often included by banks (case of ING).

Basel II

• Basel II – Capital Measurement– Basic approach

• 15 % of income– Standardised approach

• capital = * gross income per business line, with between 12% and 18% depending on business line (Corporate Finance, Trading, Retail,…)

– Advanced Measurement Approach• Need for compliance with quantitative & qualitative standards,

such as incident reporting history of 5 years, independent ORM function, implication of Senior Management, written policies and procedures and active day-to-day ORM – 4 quantitative building elements

– Internal Loss data– External Loss data– Scenario Analysis– Business Environment & Internal Control Factors

8Operational &

Compliance Risk Department

9

Basel II

– Next to this definition, the Basel Committee defined (7) operational risk events that are commonly considered as having the potential to result in substantial losses and that help to refine the definition of Operational Risk:

• Internal Fraud• External Fraud• Employment practices and Work place safety• Clients, products and Business Practices• Damage to physical assets• Business disruption of system failures• Execution, delivery and process management

– Institutions can adapt these categories to build their own model.

• Literature– All guides related to Operational Risk advises you

to start by establishing your « risk cartography » based on existing processes

– Identify the possible events (impact/likelihood) to prioritize your risk mitigation/management activities

ORM – Risk & Event Dilemma

10

Whatever the root cause… you’ve lost your building!

That’s the risk…

• Each event can be placed on a impact/likelihood matrix• At the end how will you evaluate the overall risk

independently from the cause…

ORM – Risk & Event Dilemma

11

Our approach:•Be sufficiently alert in defining the most probable event.•Agree on impact.•Define an « average » likelihood in order to have something realistic vs experience and expectations•Yearly expected loss as a 2nd check

• All organizations are more and more complex• After the bank crisis, all parties (regulators,

external auditors, … board of directors, …) want to have a complete view on all risks at a very granular level

• Two dilemmas to handle :

ORM – Completeness – The pixel dilemma

12

– Keep the overview despite an increasing number of risk points

ORM – Completeness – The pixel dilemma

13

– Avoid to make a risk appear (absurdly) bigger than it is

ORM – Completeness – The pixel dilemma

14

ORM – Completeness – The pixel dilemma

15

ORM – Completeness – The pixel dilemma

16

Risk Management vs Risk Measurement

ORM – Completeness – The pixel dilemma

17

Our approach:•Standard Risk Library•Detailed issue & action tracking but aggregated measurement and test results (e.g at value chain level)

• Where do you place your call for action?– Keep business aligned

– Risk Profile / max Hit / 1 in 10 / Scenario

– Integrate the Pixel dilemma in the picture

Risk appetite

18

Our approach:•Relates to gross income at entity level•Based mainly on risk profile but other concepts are now being integrated•Attention given to scenario but in separate view•Split between risk area still to be fine-tuned•Some recurring discussions

• Discussion on profile vs incidents• Losses vs behaviour• How to quantify (& measure) the reputational risk…

• Still seen as two separate (and parallel) journeys…and often perceived as the best enemies

• Operational Excellence focuses mainly on Processing ensuring an acceptable “Processing Risk” often without looking at the other risk (Lean, 6

• Bringing both together is a key factor for success and long term savings

Operational Risk & Operational Excellence

19

Our approach :•10 Risk areas

• Compliance, Control, Personal & Physical Security, Internal Fraud, External Fraud, Unauthorized Activity, Employment Practice Risk, Processing Risk, Business Continuity Risk, IT Risk

• As reducing one risk will increase another one… you best have to find the right balance as from the beginning and regularly re-challenge this balance as environment is also changing– Need an holistic view on the risks…

– Many saving programs lead to serious investments once the holistic view is taken

• Solution? ERM• Identify and manage risk across the End-to-End Process

Operational Risk & Operational Excellence

20

Example:•Payment Name & Address Check•Following the law can not be enough…

• Imagine that you improve the following process with the fuel consumption as only focus…

Operational Risk & Operational Excellence

21

• Image & Social Media– Incidents are known by the whole

community

– Social media is used to complain with exponential exposure

– Image/Reputational impact is huge

Operational Risk – Sharing some trends & feelings

22

Our approach:•Proactive follow-up of discussions about our company•Dedicated team to ensure proper communication•Pro-active media scripts part of incident management

• Controls & Communication

Operational Risk – Sharing some trends & feelings

23

Case:

In 2010, ING Belgium has been targeted by fraudster due to a higher default limit on their debit card (weekly limit vs day limit). Analysis of the incidents has shown that people above 60 were also specifically targeted.As temporary solution, it has been decided to reduce the default limit of this group of clients.Wrong communication lead to strong reactions in the media and complaints related to discrimination.Control was right but was not sustainable due to wrong communication…In the meantime default daily limit (applicable for all customers) has been implemented without any reaction.

• Cybercrime – Global risks requiring an industry broad approach (e.g. awareness)

Operational Risk – Sharing some trends & feelings

24

Case study:•Awareness campaign built with Febelfin (Association of Belgian Banks)

Operational Risk – Sharing some trends & feelings

25

• Physical security challenge – Staff & Clients– Human become more and more the easiest “point of failure”

– Reduction of cash has lead to soften the physical protection… is this right?

Operational Risk – Sharing some trends & feelings

26

Thanks for your attention