Operational Risk Management +
Six Sigma = Success
Presenter: Roberta Pek
Director of Operational Risk
Freddie Mac
2012 ASQ Lean and Six Sigma Conference
Session Number: G2
Learning Outcomes
Provide practical ideas & tools your organization
can use to:
 Create a workforce focused on identifying &
managing operational risk
 Teach employees to operate as risk managers
 Foster a culture of accountability &
transparency
Lean/Six Sigma techniques support these efforts.
2
Freddie Mac: Making Home Possible
• Provide liquidity, stability & affordability to the
housing market
• Support the nation’s housing recovery
– Provide access to affordable homeownership and
rental housing
– Help borrowers avoid foreclosure and stabilize
communities
– Freddie Mac provided Foreclosure Alternatives to
nearly 525,000 Families since the start of 2009
• Foster responsible lending & servicing practices,
while minimizing exposure to risk
3
Operational Risk Awareness: Make It Real
Risk is
 “squishy”
 an abstract concept for many employees but they act
the first lines of defense to identify, assess & manage it.
 the uncertainty around some future event
Operational Risk focuses on issues related people,
process, technology and external events
 What can go wrong?
 How bad could it be if it goes wrong?
 How likely is it to go wrong?
 What should I do about it?
4
The 3 Cs: Drivers of Operational Risk
Each driver indicates a potential operational risk.
When layered, risk rises rapidly.
What processes in your organization
coalesce in the red zone?
5
Linking Operational Risk & Lean Six Sigma
Operational Risk
Lean /Six Sigma
Tools
What can go wrong?
Define
 Stakeholder Analysis
 Voice of the Customer
 Affinity Diagrams
SIPOC
Risk & Control Self Assessment
How bad can it be?
Measure
Data sampling & collection
Failure Modes & Effects Analysis
How likely is it to go
wrong?
Analyze
Process Mapping
Loss event data analysis
Root Cause Analysis (5 Whys)
Hypothesis Testing
What should we do
about it?
Improve/Control
Pilot a process
Control Charts
Standardize for Repeatability
6
Tools to Help Identify Operational Risk:
Risk and Control Self Assessments
“What can go wrong?”
People
Process
•Employee Fraud and Theft
• Workplace Safety
•Compensation
•Staffing Expertise and Adequacy
•Data Quality
•Process Execution
•Process Management
•Sourcing and Counterparties
•Vendors and Suppliers
Technology
•Planning and Organization
•Acquisition and Implementation
•Delivery and Support
•Monitoring and Evaluation
7
External Events
•Business Continuity
•Damage to Physical Assets
•External Fraud and Theft
•Information Privacy
>$$$
HIGH
LH
Largest Plausible Loss
$$ to $$$
MODERATE
LM
<$
LOW
SEVERITY
The Heat Map: A Tool to Quantify “Squishy”
LL
MH
HH
MM
HM
ML
HL
L OW
MODERATE
HIGH
An event can be reasonably expected
Between 10 Years and 100 Years
Between 1 Year to 10 Years
Within 1 Year
1% to 10% chance of occurrence
10% to 50% chance of occurrence
> 50% chance of occurrence
LIKELIHOOD
“How bad can it be?”
“How likely it is to go wrong?”
8
Controls: “What should I do about it?”
Controls are activities that help to reduce the likelihood of a
negative (bad) outcome from some future event.
• Risk and controls are linked –you need to look at both sides of the
issue.
Controls apply to the:
• Appropriate use, handling and physical safeguarding of corporate
assets and records such as laptops, computers, file room data
• Processing of transactions from initiation to recording in the general
ledger.
• Use of standard operating procedures to reduce variability (also
known as noise) allowing for a repeatable process.
Mapping the end to end processes provides a
roadmap to risk and control self assessment.
9
Process Mapping: Draw the Picture
D o c u m e n t M a n a g e m e n t:
Im a g in g w ith R u le s B a s e d A u d itin g
Regional O ffices
R e s o lv e
is s u e
S ta r t
S ig n e d
D ocum ent
Package
r e c e iv e d fr o m
c u s to m e r
L o g P a c k a g e in
T r a c k e r S y s te m
D o e s s y s te m
A ccept pkg #?
Yes
S c a n d o c u m e n ts
in to T r a c k e r
S y s te m
No
P e r fo r m In itia l
Q C p ro cess o n
im a g e s
C
Q C th r e s h o ld s
a c h ie v e d ?
C
C
No
Yes
C
R e s o lv e Is s u e
(s ta tu s c o d e s ,
bar codes vs
m a n u a l in p u t),
p k g ty p e
R e le a s e im a g e s
to in d e x in g c u e
P ro cess p ap er
d o c u m e n ts fo r
file s to r a g e
C entralized Processing
C enter
D ocum ent M anagem ent
Vendor
C
C
P e r fo r m lo a n
le v e l d o c u m e n t
in d e x in g b a s e d
o n p r e d e te r m in e d
c r ite r ia
P e r fo r m In d e x in g
Q C p ro cess
Q C th r e s h o ld s
a c h ie v e d ?
R e s o lv e
is s u e
Yes
R e le a s e Im a g e s
to th e r e p o s ito r y
No
end
C
No
C
P e r fo r m a u d it o f
im a g e d file
a g a in s t b u s in e s s
r u le s
B u s in e s s r u le
fa ilu r e s ?
Yes
R o u te to
e x c e p tio n
p r o c e s s in g
a u d ito r s fo r
r e s o lu tio n
Is s u e
r e s o lu tio n
a c h ie v e d ?
C
No
C
C lo s e
p r o c e s s in g o n
th e file .
yes
end
The Sticky Note Method: Place key stakeholders in a room with sticky notes
& craft paper. Walk the widget through the process
10
en
d
Putting It Together at the Business Line
Risk
“What can go wrong?” “How bad can it be?” “How likely is it to go wrong?”
Transactions are processed incorrectly by less seasoned staff resulting in rework.
Drive
Control Objective
Process the transaction correctly the first time every time.
Satisfied by
Control Activities
Standard operating procedures, job aids, partnering new hires with more experienced
staff, feedback on error rates, & targeted retraining.
11
Employee Accountability:
Becoming Risk-Aware Starts on Day One
• New Hire Orientation drives the message that as a
member for the Freddie Mac team, you are a manager of
risk, regardless of the job title.
• Every employee, from individual contributors to executive
management, has a risk accountability objective which
they are measured against in their performance review.
 Conducting business in a risk-aware manner
 Identifying, assessing, and managing the risks within the context
of the specific job position
 Reviewing existing controls to identify any gaps, ineffective, poorly
designed or unnecessary controls
 Escalating an issue quickly to management
12
Employee Accountability:
Becoming Risk-Aware Starts on Day One
For people managers, the risk management objective
covers key areas:
• Setting the tone for risk accountability in the workgroup
• Building risk management into operating plans
• Reviewing opportunities to simplify controls
• Conducting business in a risk aware manner
• Encouraging employees to escalate issues quickly
• Ensuring all employees effectively identify, assess and
manage risk
13
Fostering Accountability & Transparency:
Each Level Has a Role
Board
Enterprise Risk Management
Committee
Operational Risk Management
Sub-Committee
Enterprise Risk Oversight Division
Business Line / Operational Risk Managers
14
Becoming Risk Aware……
• Starts on day one for each employee
• The tone is set at the top levels of the organization with
clear roles and responsibilities
• Drive the right behaviors and accountability via
performance goals around risk mitigation
• Make it real for the employee…..everyone has the
responsibility to identify, assess and manage risk
• Provide tools empower the employee. They are the front
lines of risk mitigation
15
16