Operational Risk
Risk Appetite & Operational Excellence
Catherine van Doorslaer
Operational Risk Manager at ING Belgium
Catherine van Doorslaer – Short Bio
• 1990-1996:
– University degrees (Namur, Leuven, Louvain-laNeuve) in Economics and International Politics
• 1997- 2000: Banca Monte Paschi Belgio
• 2000-2003: ING Credit Risk Analyst
• 2003-2014: ING Operational Risk Manager
Set up of ORM framework within ING Belgium
Team Manager for ORMers (Business Advisory)
Scenario Analysis and Risk Assessment
Entreprise Risk Management
• ING Belgium in 2 slides
• Operational Risk – A young discipline with a lot of
– Risk Cartography : Risk & Event dilemma
– Completeness : The pixel dilemma
– Risk Appetite
• Operational Risk vs Operational Excellence
• Operational Risk – Sharing some trends
– Image & Social media
– Controls & Communication
– Cybercrime
• Need for some “industry approach”
– Physical security – The next challenge?
Online channels made easier
Home’Bank: new accounts overview
Tablet: launch of ‘Smart Banking’
Home’Bank Plus: sign a business credit online
Mobile: ordering ING Visa Classic with ‘MyING.be’
ORM – a young discipline
Risks of a bank
« Operational risks »
Basel 1 (1988)
Basel 1 (1995)
Basel 2 (2004)
Residual risk
Basel II
– The increased competitive environment has pushed the various
industries to venture into new markets and new products which has
increased the complexity of their operations and consequently their
risk profile. A deeper analysis of all risks is a necessity. Adequate
management and supervision of operational risks is one of the big
challenge within the banking industry.
– 9/11 has put increased focus on Financial Economic Crime (FEC)
a.o. terrorism financing (Compliance)
– Financial crisis has put the focus on operational risks with an
increased attention to fraud related risks
Definition of Operational Risk
– The Basel Committee defined operational risk as “the risk of loss
resulting from inadequate or failed internal processes, people and
systems, or from external events”.
The definition includes legal risk but excludes strategic and
reputational risk. The nevertheless, the latest is often included by
banks (case of ING).
Basel II
Basel II – Capital Measurement
– Basic approach
• 15 % of income
– Standardised approach
• capital =  * gross income per business line, with  between
12% and 18% depending on business line (Corporate Finance,
Trading, Retail,…)
– Advanced Measurement Approach
• Need for compliance with quantitative & qualitative standards,
such as incident reporting history of 5 years, independent ORM
function, implication of Senior Management, written policies and
procedures and active day-to-day ORM – 4 quantitative building
Internal Loss data
External Loss data
Scenario Analysis
Business Environment & Internal Control Factors
al &
ce Risk
Basel II
– Next to this definition, the Basel Committee defined (7)
operational risk events that are commonly considered as
having the potential to result in substantial losses and
that help to refine the definition of Operational Risk:
Internal Fraud
External Fraud
Employment practices and Work place safety
Clients, products and Business Practices
Damage to physical assets
Business disruption of system failures
Execution, delivery and process management
– Institutions can adapt these categories to build their own
ORM – Risk & Event Dilemma
• Literature
– All guides related to Operational Risk advises you
to start by establishing your « risk cartography »
based on existing processes
– Identify the possible events (impact/likelihood) to
prioritize your risk mitigation/management
Whatever the root cause…
you’ve lost your building!
That’s the risk…
ORM – Risk & Event Dilemma
• Each event can be placed on a impact/likelihood matrix
• At the end how will you evaluate the overall risk
independently from the cause…
Our approach:
Be sufficiently alert in defining the most probable event.
Agree on impact.
Define an « average » likelihood in order to have something realistic vs
experience and expectations
Yearly expected loss as a 2nd check
ORM – Completeness – The pixel dilemma
• All organizations are more and more complex
• After the bank crisis, all parties (regulators,
external auditors, … board of directors, …) want
to have a complete view on all risks at a very
granular level
• Two dilemmas to handle :
ORM – Completeness – The pixel dilemma
– Keep the overview despite an increasing number
of risk points
ORM – Completeness – The pixel dilemma
– Avoid to make a risk appear (absurdly) bigger than
it is
ORM – Completeness – The pixel dilemma
ORM – Completeness – The pixel dilemma
Risk Management vs Risk Measurement
ORM – Completeness – The pixel dilemma
Our approach:
Standard Risk Library
Detailed issue & action tracking but aggregated measurement and test
results (e.g at value chain level)
Risk appetite
• Where do you place your call for action?
– Keep business aligned
– Risk Profile / max Hit / 1 in 10 / Scenario
– Integrate the Pixel dilemma in the picture
Our approach:
Relates to gross income at entity level
Based mainly on risk profile but other concepts are now being integrated
Attention given to scenario but in separate view
Split between risk area still to be fine-tuned
Some recurring discussions
• Discussion on profile vs incidents
• Losses vs behaviour
• How to quantify (& measure) the reputational risk…
Operational Risk & Operational Excellence
• Still seen as two separate (and parallel) journeys…
and often perceived as the best enemies
• Operational Excellence focuses mainly on Processing
ensuring an acceptable “Processing Risk” often without
looking at the other risk (Lean, 6S, ...)
Our approach :
10 Risk areas
• Compliance, Control, Personal & Physical Security, Internal Fraud,
External Fraud, Unauthorized Activity, Employment Practice Risk,
Processing Risk, Business Continuity Risk, IT Risk
• Bringing both together is a key factor for success and long
term savings
Operational Risk & Operational Excellence
• As reducing one risk will increase another one… you best
have to find the right balance as from the beginning and
regularly re-challenge this balance as environment is also
– Need an holistic view on the risks…
– Many saving programs lead to serious investments once the
holistic view is taken
Payment Name & Address Check
Following the law can not be enough…
• Solution?
• Identify and manage risk across the End-to-End Process
Operational Risk & Operational Excellence
• Imagine that you improve the following process with the
fuel consumption as only focus…
Operational Risk – Sharing some trends & feelings
• Image & Social Media
– Incidents are known by the whole
– Social media is used to complain
with exponential exposure
– Image/Reputational impact is huge
Our approach:
Proactive follow-up of discussions about our company
Dedicated team to ensure proper communication
Pro-active media scripts part of incident management
Operational Risk – Sharing some trends & feelings
• Controls & Communication
In 2010, ING Belgium has been targeted by fraudster
due to a higher default limit on their debit card (weekly
limit vs day limit). Analysis of the incidents has shown
that people above 60 were also specifically targeted.
As temporary solution, it has been decided to reduce
the default limit of this group of clients.
Wrong communication lead to strong reactions in the
media and complaints related to discrimination.
Control was right but was not sustainable due to wrong
In the meantime default daily limit (applicable for all
customers) has been implemented without any reaction.
Operational Risk – Sharing some trends & feelings
• Cybercrime – Global risks requiring an industry broad
approach (e.g. awareness)
Case study:
Awareness campaign built with Febelfin (Association of Belgian Banks)
Operational Risk – Sharing some trends & feelings
Operational Risk – Sharing some trends & feelings
• Physical security challenge – Staff & Clients
– Human become more and more the easiest “point of failure”
– Reduction of cash has lead to soften the physical protection…
is this right?
Thanks for your attention

Title in Arial regular 36 pt.