in Small Banks Operational Risk Management
advertisement
Operational Risk Management in Small Banks Operational Risk Definition Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk* but excludes strategic and reputational risk. Basel II n.644 *legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements. Compliance, Strategic & Reputational Risk Compliance Risk - The current and prospective risk to earnings or capital arising from violations of, or noncompliance with laws, rules, regulations, internal policies and procedures, or ethical standards. Strategic Risk - The current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. Reputational Risk - The current and prospective impact on earnings and capital arising from negative public opinion. Need for formal definitions for the Bank including how these risks are being measured and managed Drivers of Operational Risks Risks could arise from failures in: Process People Systems Operational failure occurs every time one or more of these resources is inadequate to the task being performed: Insufficient quality or quantity (capacity or capability) Unavailable at a critical stage (availability & criticality) Breakdown altogether Or as a result of External Events Any of these failures could lead to customer dissatisfaction and/or losses to the bank. Loss event type classification Type Definition Activity Examples Internal Fraud Intentional fraud, misappropriation of property, involving at least one internal party Transactions not reported (intentionally) Intentional mismarking of position Fraud/ forgery External Fraud Intentional fraud, misappropriation of property, by 3rd party Theft/ robbery/ forgery Hacking systems/ Theft of information Acts inconsistent with Employment employment, health & safety practices and Workplace Safety laws, discrimination Employee relation issues Safety issues Discrimination Loss event type classification Type Definition Activity Examples Clients, Products Unintentional or negligent failure to meet professional & Business obligations to specific Practices Suitability (KYC issues) Aggressive sales Misuse of confidential information Improper market practices Product flaws/ model errors Failure to investigate client per guidelines Exceeding client exposure limits Disputes over performance of advisory activities Loss or damage to physical assets from natural disaster or other events Natural disaster losses Human losses from terrorism, vandalism clients or from the design of a product / service Damage to Physical Assets Loss event type classification Type Definition Activity Examples Business disruption and system failures Disruption of business or system failures Hardware/ software failure Telecommunicaitons Utility outage Execution, Delivery & Process management Failed transaction processing/ process management, or failure of relations with trade counterparties Incorrect capture e.g. of data entry, missed deadlines Delivery failure Inaccurate reporting Missing client permissions / legal documents Incorrect client records Misperformance of 3rd party suppliers/ counterparties Are adequate controls in place? Control – activity that reduces incidence of risk, reduces the possibility that something will go wrong, thus helping us achieve process objectives Recommended Controls Type Controls Internal Fraud Segregation of duties Internal Controls Double Checking External Fraud Firewalls Encryption Double Checking Employment practices and Workplace Safety Training Enforcement Provision of protective clothing Adherence to safety Standards Clients, Products & Business Practices Compliance department Prevention of money Laundering Procedures system Internal Audit Risk Management Recommended Controls Type Controls Damage to Physical Assets Insurance Sound Building Management Safety Measures Business disruption and system failures Uninterruptible power supply Preventive maintenance Standby systems/ back ups Physical security Alternative Business Sites Execution, Delivery & Process management Training Internal audits Double checking Procedures standards Risk management Basle Committee Sound Principles Allocates responsibilities related to operational risk and its management to the various organisational functions and external bodies. • Establishment & review of Op Risk Framework & Strategy (BoD & Senior mgt) • Implementing strategy & developing Policies (Senior mgt) • Communication to oversee and manage the framework • Processes and systems to identify, assess, monitor operational risk exposures & loss events • Policies controls & procedures re control & mitigation of risks • Supervisors should ensure effective systems are in place to identify, measure, monitor and control operational risks & evaluate reporting mechanisms • Public disclosure to inform market participants of op. risk exposure and the quality of its operational risk management. Strategy & Risk Appetite An Operational Risk Mgt Framework for the Bank was drawn up and approved in 2008 and is being implemented by ORU. An OR Strategy should set out risk exposure profile, include a statement of risk appetite, and state the overall approach to identification, measurement, reporting & transfer of Op Risk (in accordance with Best Practice) A general Operational Risk Management Policy is needed to fit within an overarching risk management policy. These objectives should serve to support the risk management framework and move us towards closer alignment with business strategy Governance– Three lines of Defence Operational Risk Management Framework Operational risk management is about managing the exposure to expected operational loss events as well as reasonably probable unexpected losses. Risk Identification Loss Database Key Risk Indicators Scenario Analysis Business Continuity Planning Information Security & Information Quality Risk Mapping Methodology • Identify • Identify complete Issues/risks process & • Understand business units Process involved Objectives • Map current (AS • Evaluate Risks IS) process (scoring) Current Process Maps AS IS (Level 1 - 3 ) • Risk Matrix • Risk Assessment • Risk Map • Set objectives for • Review of Risk • Approval & TO BE Assessment to implementation of • Options understand recommendations identification benefits derived • Final TO BE recommendations Set of recommendations for a changed process to be presented at Executive Committee Project Team set up to implement approved changes Review & update Process Maps, Risk Assessment, & Risk Map Driven by Op. Risk & Mgt Services Driven by PMF Driven by Op. Risk Driven by PMF Driven by PMF Ext. Consultants & PMF Core Team – includes Op. Risk representatives SMEs incl. SMEs Risk Map Panel Ext. Consultants & PMF Core Team – includes Op. Risk representatives SMEs Ext. Consultants & SMEs incl. SMEs Risk Map Panel Identifying Risks What is the possibility that something can go wrong? Does your process sometimes fail to deliver its’ objectives? Where are the gaps between where we are now and where we want to be? What is not working well? Can you think of past incidents that may have led to losses, inefficiencies or customers being dissatisfied with this part of the process? Risk Assessment process Scoring each issue/risk in terms of the Severity of Impact Each severity score will be weighted: Financial & Performance Reputational Human Aspect 58% 30% 12% Determine probability that the issue/risk will occur Risk Assessment Questionnaire Impact on Bank's Performance This area tries to assess whether a material monetary loss would occur because of this issue/risk in this particular process. The risk of such a loss would increase in proportion to the volume of transactions and complexity of the operation. 0 1 2 1 No material loss or <€x Between €x-<€x Between €x-<€x Over €x Volume/ Complexity of transactions? Relatively low volumes on a daily basis <x Normal volumes on a daily basis >x<x High volumes on a daily basis >x<x Very high volumes on a daily basis >x This area will take into account the possible impact that the issue could have on the bank's reputation with both regulators and the market. 0 Impact on the bank's reputation with customers, the markets, Regulators? Human Aspect xx 1 xx Does the process require specialist knowledge for which we are dependent on only one or two persons? xx The issue or risk is expected to happen: xx 1 xx Estimation of Likelihood 5 2 3 xx This area evaluates whether the process in question is more prone to human risks or if it incentives offences/ omissions. 0 4 3 If this issue materialises, what would be the monetary loss to the Bank? Impact on Bank's Reputation 3 2 2 xx 3 xx Estimation of likelihood of occurrence. Very Frequent: once a week (or more often) Unlikely: every 5 yrs Regular: monthly Remote: every 30 yrs Likely: quarterly Occasional: yearly Risk Matrix Severity of impact Probability 0-10 Very frequent May happen once a week or more Regular Happens approx. once a month Likely Happens approx. once a quarter Occasional Happens approx. once a year Unlikely Happens once between 1&5 years Remote May happen in 15 years 15 17 13 4 1 >10-30 >30 - 50 51 16 10 10 4 11 3 3 6 2 >50 - 75 1 1 1 >75 100 Loss Database To move from Basic Indicator Approach to Standardised approach, the Bank must satisfy a number of criteria including the ability to keep track of relevant operational risk data on losses or near misses, report on operational risks to relevant functions and have procedures to take appropriate action. (BR/04/2007) An internal loss database must capture all material activities and exposures from all appropriate sub-systems. Typical fields include: Loss event category Amount and recoveries – basis of severity Date – basis of frequency Business activity, business unit Cause – narrative Effect/ impact Key Risk Indicators KRIs: measurable metrics that track exposure or loss or problem areas. Such indicators become key when they track especially important exposures. They must act like “early warning systems”. The challenge of identifying the right KRIs is to identify measures: that will help us address those issues that have highest impact on our customers and business that will give us an indication of what action needs to be taken (understand what message Scenario Analysis Process of obtaining information on the low-frequency-high-severity losses through expert opinions of business managers and stress testing. They are seen as an efficient way of bringing issues to the surface and promoting risk management. Scenarios may be used in risk mitigation decision and/or cost/benefit analysis and to: Create risk awareness Bring together different functions to discuss a topic Considering emerging risks before there is loss data Linking into insurance purchasing decisions We have undertaken scenario analysis for ICAAP (Internal Capital Adequacy Assessment Programme) reporting and also to increase awareness of Operational Risk at Board level Pandemic Flu outbreak and large scale absenteeism 3rd party fraud in credit cards 3rd party fraud in credit granting process IT risks related to service delivery, solution delivery, IT benefit realisation, security of information & IT assets Risk related to unavailability of critical system – Prospero 3rd party fraud in Payments area We need to be in a position to carry out periodic scenario analysis with regular reviews to determine whether they are still relevant Assess whether defined scenarios best reflect major drivers of OR e.g. ORX survey includes most common topics – Processing errors (12%); Mis-selling & business practices (9%); External fraud (9%);… Need to work out process to validate scenarios Enterprise-wide Business Continuity Plan What is it? It is the making of Proactive and Reactive plans to help the Bank to survive crisis or major disruptions to return to ‘business as usual’ as quickly as possible. What should we plan against? Plan to recover from possible threats Inaccessibility to premises Failure in computer systems Sudden shortage of staff Suspension of service chain by key supplier Threats exist to all businesses. Once they happen loss is inevitable. BUT ..we can contain Loss Therefore we set off to make a plan to manage disruptions to recover as quickly as the customer, regulator or the market expect. - Enterprise-wide Business Continuity Plan (BCP) Enterprise-wide Plan Prioritization of tasks ENTERPRISE-WIDE BCP Setting-Up of Alternative Sites Op Risk Mgt - What value will be derived? Key aspect of effective corporate governance Reduce exposure to and avoidance of operational risk losses through risk mitigation Improve operating efficiency Reduce earnings volatility Rationalise the allocation of capital between business uses Regulatory compliance ERM component Management of new product approval process Change in culture and enhancement of awareness
