Title Slide Sample

advertisement
Measuring and Managing
Operational Risk
Assessing Operational Risk Exposure
Required Process of Continuous Risk Assessment,
Monitoring and Reporting
Reporting
Risk
Identification
Mitigation Planning
& Execution
Measuring/
Monitoring
Control
Assessment
Likelihood and
Severity
2
The Process
• Risk Identification
• Assessment of Control Framework
• Risk Likelihood/Severity Assessment
• Measurement & Monitoring
• Reporting
• Mitigation
3
The Tools
• Control and Risk Self Assessment
• Key Risk Drivers and Indicators
• Loss Data
• Issue and Event Data
• Audit and Compliance Reports
• Scenario Analysis
4
Control and Risk Self Assessment
(CRSA)
• Utilises business management to identify risks
and controls
• Comes in various forms
– Scorecard Closed Questionnaire
– Open ended Questionnaire
– Business defined risks and controls
• Can be based on interviews or brain storming
sessions
5
Risk Drivers and Indicators
Drivers
Indicators
•Transaction Volume
•Transaction errors
•Staff Turnover
•Aged confirmations
•Market Volatility
•Reconciliations
•Training hours vs.
plan
•Audit points
outstanding
•Product complexity
•Settlement fails
•Operational loss
6
Loss Data
•Pinpoints actual areas of control failures
•Highlights cost of operational risk
•Losses should be assigned to the business areas
where they originated
•Data required for modelling Operational Risk
Capital requirement.
•Both internal and external loss data can be
utilised
7
Internal Loss Data
•Apply a minimum reporting threshold E.g.
Losses > Eur20,000
•Make sure you record at least the 4 W’s
(What, when, where, why)
•Allocate losses to correct business line and
risk category.
•Ensure that you can revise the individual
losses to record recoveries
•Include all losses !
8
Loss Event Types
•Internal Fraud
•External Fraud
•Employment Practices & Workplace Safety
•Clients, Products & Business Practices
•Damage to Physical Assets
•Business Disruption & System Failures
•Execution, Delivery & Process Management
9
External Loss Data
• A number of sources. E.g. BBA Gold
database, OpVantage.
• Tends to focus on large tail event losses
• Good source of data to fill gaps in own
data if using an LDA to capital allocation
• Issues of applicability and scalability
• Often used for control failure comparison
and scenario analysis
10
Key Risk Drivers & Indicators
•Much of the data is already available
•Must agree limits beyond which risk is
considered unacceptable
•Must be indicators of risk not just of
performance
•Should try to be predictive
•Ideally should be aligned to risks identified in
CRSA and scenario analysis
11
Common Problems with Risk Indicators
•Performance related not risk related
•Where do you set the targets
•Inconsistent and non-comparable
•Historical not predictive
•One dimensional.
•Management takes it personally
12
Possible Solutions
•Adapt performance indicators to become risk
indicators with their own specific targets.
•Targets should be ratified by senior management.
•Try to be consistent across business lines. Its easier
to compare and aggregate
•Combine drivers and risks
•E.g. Outstanding reconciliations compared to
volume and estimated staff turnover/absence.
•Present KRI’s as risk management tools not
instruments of blame.
13
Issue and Event Data
•Not all control failures result in loss
•“Near miss” data adds value by verifying
controls are working and that risks exist
•Control failure profits are as important as
losses. Good source for potential fraud.
•Evidences adequate monitoring and control
awareness
14
Audit and Compliance Reports
•Ideal source of control verification
•Independent review may highlight risks that
have been overlooked or evaded
•Underscore efforts for risk mitigation
•Highlight topical risk areas
•Can provide valid control comparison
15
Scenario Analysis
•Apply some formal real world “what if”
analysis to your processes
•Highlight control weakness before it results
in losses
•Stress test identified points of failure to test
resilience
•Test again to ensure mitigation is working
16
Problems and Practicalities
•Continued management support.
•Management deniability.
•KRI’s focussed on performance.
•Loss data collection and apportionment.
•Time and resource.
•External loss data applicability.
•Real world scenario analysis.
•Turning the data into a workable capital
allocation model for AMA.
17
Applying Common Sense to Control
• The better the controls the less the chance of loss
• The level of controls need to be equivalent to the level
of risk
• Controls need to be consistently applied and measured.
• All controls should be documented and staff should be
aware of the controls applicable to their function.
• Failures need to be highlighted investigated and
understood.
• Operational Risk losses need to be tracked to reflect
the levels of risk in a particular product or process.
• Risk measurement is the first step to evidencing risk
management
18
Questions ?
Download