OPERATIONAL RISK : THE NON-FINANCIAL RISK ASPECT OF THE ERM 26 - 28 November 2012
Youness El Kandoussi Manager – Operational Risk Boubyan Bank yelkandoussi@bankboubyan.com LinkedIn Profile: kw.linkedin.com/in/younesselkandoussi
OUTLINE
THE ERM WHEEL ERM DEFINED THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM ISSUES IN ERM IMPLEMENTATION OPERATIONAL RISK A KEY COMPONENT OF ERM DEFINITION OF OPERATIONAL RISK OPERATIONAL RISK SOURCES OPERATIONAL RISK MANAGEMENT AND MEASUREMENT TOOLS THE RCSA: A MAP OF THE ORGANIZATION RISKS AND CONTROLS
THE ERM WHEEL
ERM DEFINED: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
ERM DEFINED:
Concerned with a broad financial and operating perspective Recognizes interdependencies among corporate, financial, and environmental factors Strives to determine and implement an optimal strategy to achieve the primary objective: maximize the value of the firm Create and increase company value Ensure business continuity Stabilize earnings Enhance opportunities for the company to achieve its objectives Make risk management more cost-efficient
ERM DEFINED: A complex process… involving broad-based and in-depth knowledge and understanding… requiring an appropriate corporate culture,… and creativity… born of a variety of experiences… and insatiable curiosity.
THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM
Risk assessment is intended to provide management with a view of events that could impact the achievement of objectives. It is best integrated into existing management processes and should be conducted using a topdown approach that is complemented by a bottomup assessment process. Boards of directors— and particularly board audit committees—often request enterprise-wide risk assessments to ensure that key risks are identified and duly addressed.
THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM Risk assessment can therefore be conducted at various levels of the organization. The objectives and events under consideration determine the scope of the risk assessment to be undertaken. Examples of frequently performed risk assessments include: Strategic risk assessment. Evaluation of risks relating to the organization’s mission and strategic objectives, typically performed by senior management teams in strategic planning meetings, with varying degrees of formality. Operational risk assessment. Evaluation of the risk of loss (including risks to financial performance and condition) resulting from inadequate or failed internal processes, people, and systems, or from external events. In certain industries, regulators have imposed the requirement that companies regularly identify and quantify their exposure to such risks. While responsibility for managing the risk lies with the business, an independent function often acts in an advisory capacity to help assess these risks.
THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM
Compliance risk assessment. Evaluation of risk factors relative to the organization’s compliance obligations, considering laws and regulations, policies and procedures, ethics and business conduct standards, and contracts, as well as strategic voluntary standards and best practices to which the organization has committed. This type of assessment is typically performed by the compliance function with input from business areas. Internal audit risk assessment. Evaluation of risks related to the value drivers of the organization, covering strategic, financial, operational, and compliance objectives. The assessment considers the impact of risks to shareholder value as a basis to define the audit plan and monitor key risks. This top-down approach enables the coverage of internal audit activities to be driven by issues that directly impact shareholder and customer value, with clear and explicit linkage to strategic drivers for the organization.
THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM
Financial statement risk assessment. Evaluation of risks related to a material misstatement of the organization’s financial statements through input from various parties such as the controller, internal audit, and operations. This evaluation, typically performed by the finance function, considers the characteristics of the financial reporting elements (e.g., materiality and susceptibility of the underlying accounts, transactions, or related support to material misstatement) and the effectiveness of the key controls (e.g., likelihood that a control might fail to operate as intended, and the resultant impact). Fraud risk assessment. Evaluation of potential instances of fraud that could impact the organization’s ethics and compliance standards, business practice requirements, financial reporting integrity, and other objectives. This is typically performed as part of Sarbanes-Oxley compliance or during a broader organization-wide risk assessment, and involves subject matter experts from key business functions where fraud could occur (e.g., procurement, accounting, and sales) as well as forensic specialists.
THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM
Market risk assessment. Evaluation of market movements that could affect the organization’s performance or risk exposure, considering interest rate risk, currency risk, option risk, and commodity risk. This is typically performed by market risk specialists. Credit risk assessment. Evaluation of the potential that a borrower or counterparty will fail to meet its obligations in accordance with agreed terms. This considers credit risk inherent to the entire portfolio as well as the risk in individual credits or transactions, and is typically performed by credit risk specialists.
THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM
Customer risk assessment. Evaluation of the risk profile of customers that could potentially impact the organization’s reputation and financial position. This assessment weighs the customer’s intent, creditworthiness, affiliations, and other relevant factors. This is typically performed by account managers, using a common set of criteria and a central repository for the assessment data. Supply chain risk assessment. Evaluation of the risks associated with identifying the inputs and logistics needed to support the creation of products and services, including selection and management of suppliers (e.g., up-front due diligence to qualify the supplier, and ongoing quality assurance reviews to assess any changes that could impact the achievement of the organization’s business objectives)
THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM
Product risk assessment. Evaluation of the risk factors associated with an organization’s product, from design and development through manufacturing, distribution, use, and disposal. This assessment aims to understand not only the revenue or cost impact, but also the impact on the brand, interrelationships with other products, dependency on third parties, and other relevant factors. This type of assessment is typically performed by product management groups. Security risk assessment. Evaluation of potential breaches in an organization’s physical assets and information protection and security. This considers infrastructure, applications, operations, and people, and is typically performed by an organization’s information security function.
THE RISK ASSESSMENT PROCESS REPRESENTS THE CORNERSTONE OF AN EFFECTIVE ERM PROGRAM
Information technology risk assessment. Evaluation of potential for technology system failures and the organization’s return on information technology investments. This assessment would consider such factors as processing capacity, access control, data protection, and cyber crime. This is typically performed by an organization’s information technology risk and governance specialists. Project risk assessment. Evaluation of the risk factors associated with the delivery or implementation of a project, considering stakeholders, dependencies, timelines, cost, and other key considerations. This is typically performed by project management teams.
ISSUES IN ERM IMPLEMENTATION Different corporate cultures require different ERM approaches Who is going to be the ERM champion within the company
Among
senior executives Among departments / functions
How to embed a risk management culture and responsibilities throughout the firm
WHERE OPERATIONAL RISK STANDS
OPERATIONAL RISK A KEY COMPONENT OF ERM
DEFINITION Basel II defines operational risk:
Operational risk is defined as the risk of loss resulting
from inadequate or failed processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements JPMorgan Chase defines operational risk:
Operational risk is the risk of loss resulting from
inadequate or failed processes or systems, human factors or external events
OPERATIONAL RISK SOURCES Operational risk is the risk of loss resulting from inadequate or failed processes or systems, human factors or external events. There are four main causes of operational risk that are identified in standard operational risk definitions. Operational risk events can occur when there are inadequacies or failures due to: people (human factors) processes systems, or external events
OPERATIONAL RISK MANAGEMENT AND OPERATIONAL RISK MEASUREMENT
There are two sides to operational risk—operational risk management and operational risk measurement. There is often a tension between these two activities, as well as frequent overlap. Basel II requires capital to be held for operational risk, and offers several possible calculation methods for that capital. This capital requirement is the heart of the operational risk measurement activities, and requires quantitative approaches. In contrast, firms must also demonstrate that they are effectively managing their operational risk, and this often requires qualitative approaches. A successful operational risk program combines qualitative and quantitative approaches to ensure operational risk is both appropriately measured and effectively managed.
OPERATIONAL RISK MANAGEMENT ―similar rigor should be applied to the management of operational risk, as is done for the management of other significant banking risks…‖ Basel Committee
Management
•Operational risk management is as important as all ERM Risks
Risk Appetite
•Developing risk appetite for operational risk can be challenging •The organization has to understand the level of exposure
Policies
•Should outline the organization’s approach to identifying, assessing, monitoring and controlling/mitigating operational risk.
OPERATIONAL RISK MANAGEMENT AND OPERATIONAL RISK MEASUREMENT
Operational Risk Management Qualitative
assessment of operational risk
Operational Risk Measurement
Quantitative assessment of operational risk
OPERATIONAL RISK MEASUREMENT TOOLS
The array of operational risk measurement tools available to implement an effective operational risk management framework, including: Loss data collection Risk and control self assessments Scenario analysis Key risk indicators
INTERACTION BETWEEN RISK MANAGEMENT TOOLS
RISK CONTROL SELF ASSESSMENT OVERVIEW
It is a process to integrate and co-ordinate its risk identification and risk management efforts and generally to improve the understanding, control and oversight of risks Provides a systematic means of identifying control gaps that threaten the achievement of defined business or process objectives and monitoring what management is actually doing to close these gaps To formulate appropriate action plans to address identified control gaps, taking into account risk-reward (cost-benefit) considerations. With progress against these plans monitored as part of the overall risk management approach Promotes analysis and monitoring of factors that affect the level of risk exposure Acts as a complementary audit and management tool, as well as being the generally accepted means to satisfy corporate governance and regulatory requirements Key tool in sharing consistent and reliable risk information across the ―Three Lines of Defense‖ i.e. Business, Risk and Audit so that a consistent risk profile could be derived Why is it important? RCSA can help the Firm and the Business to identify the risks and take remedial actions so as to
Protect reputation Prevent losses Minimize compliance and legal breaches Improve the quality of service to clients
OP RISK MANAGEMENT FRAMEWORK DIAGRAM
BENEFITS
It is a common language of risk information across the organization It enables better Enterprise Risk Management and aggregation of risk data It provides clear and specific ownership of action plans It enables open discussion of risk and control matters amongst staff and management, leading to better transparency and understanding of risk and its implications across the business It leads to cultural change, helping risk management to become embedded at all levels of the organization, with respect to both day to day activities and longer term business decision making It can demonstrate to Auditors and Regulators how risks are managed within the Business
ROLES AND RESPONSABILITIES
Business:
Business Partner:
Providing assistance and comments to facilitate the front-to-back assessment
Risk Management:
Identifying and managing risk by implementing an effective control structure Developing and maintaining an effective Risk and Control Self Assessment using the Risk Management Platform Staff who is aware of risk issues should elevating to their Manager for input into RCSA Ensure RCSA is updated on occurrence of a major loss event, new product or material change of process
Ensure that the Risk and Control Self Assessment accurately reflects the risk profile of the business and the content accuracy is concurred to by the Business or Business Partner Department Manager who owns the document on an annual basis. Making sure the RCSA is updated by the process owner for process changes, poor audits, or major losses.
Regulators, Internal Audit and Control:
Periodically review and test to validate adherence to policy Leverage on the results of RCSA for planning and drawing conclusion on risk profile
COMPONENTS OF RCSA
The identification of business objectives, which can be defined either in terms of business targets or process delivery goals; The identification of risks that could threaten the achievement of those objectives and the activities and processes affected by the different risks identified; Identifying the controls in place intended to prevent the risks from crystallizing; Determining where responsibility for performing those controls lies; and An assessment of the effectiveness of the controls in operation and the level of residual risk remaining after control. Scope of RCSA can be defined in a way meeting the characteristics of the Firm and Business
HOW TO EXECUTE RCSA What
How
1. Risk identification
Forward looking, consider Inherent Risks, scan the environment and follow the risk drivers
2. Evaluation of controls
Assess the types, adequacy and effectiveness
3. Assessment of Residual Risks
Determine the likelihood and rating
4. Formulation of Risk Actions Plan
Based on risk and rewards, accountability assigned and time line tracked
5. Reporting
Timely, clear indication of risk profile, actions traceable and relevant to the recipients of the RCSA information
6. Plan for next cycle
Concur annually and should be updated based on trigger events
AN EXERCISE OF RCSA Contol Portfolio weighted scaling We select the risk bellow with 3 supposed controls Contract & documentation risk Policies & procdures Physical security Authorization & approval
3 Tertiary 2 Secondary 1 Primary
Control Effectiveness for the controls portfolio (1,2,3) =
where:
, αi effectiveness of the control i , ωi the weight of the control i
using γ as the constant relationship from one weight to the next one mathematically the values can expressed by γ^((i-1)), where 0<γ<1 and i is the i th control weight category consider γ is equal to 2/3 for our three controls portfolio 1st: γ^((i-1))=(2/3)^0 x p = p 2nd: γ^((i-1))=(2/3)^1 x p = (2/3)p 3rd: γ^((i-1))=(2/3)^2 x p = (4/9)p where p is a proxy value for the three control weights ωi if γ = 1/3 Control w eight category
r( i
wi
– 1)
Control w eight category 1st
r( i
wi
– 1)
1st
1
9/19
1
9/19
2nd
2/3
6/19
2nd
2/3
3/13
3rd
4/9
4/19
3rd
4/9
1/13
and the weights still show the importance given to primary, secondary and tertiary controls sequentially the values calculated above are from solving: p+(2/3)p+(4/9)p=1 and, 1st: γ^((i-1))=(2/3)^0 x p = p 2nd: γ^((i-1))=(2/3)^1 x p = (2/3)p 3rd: γ^((i-1))=(2/3)^2 x p = (4/9)p
applying the results to table in sheet1 by assuming that 1st control is effective, second control is satisfactory and the 3rd control is unsatisfactory 1st 80% effectiveness 2nd control 60% effectiveness 3rd control 40% effectiveness
(80%*(9/19))+(60%*(6/19))+(40%*(4/19))=
65%
AN EXERCISE OF RCSA Inherent and Risudual score calaculations Our Severity and frequency scale is as bellow: Frequency scale
Severity scale
Improbable
Heat map the simple risk scale score
Negligible
Risk level Rating 1
Remote
Negligible
2
Base1
Occasional
Moderate
3
Base2
Probable
Major
4
Base3
Frequent
Enormous
5
Base4
1 Base0
Lets assume that our Contarcats & Documenation Risk is scaled as follows: Frequency scale 3 Occasional Severity Scale 5 Ennourmous
to bring the Risk scaling to the same nature of the control scaling, we will be using a base that reflects the most the transition between one risk level to the next one. This base is a positive, real number greater than 1 (one) representing the common risk factor as follows: so, the severity risk score would be: and the frequency risk level score: the inherent risk is then:
=4*16
(1-65%)*64
1 2 3 4 5
22 Medium Risk
see Gene Alvarez and Phil Gledhill*, Risk net Magazine issue: January and February 2011 *Phi l i p Gl edhi l l i s di rector â&#x20AC;&#x201C; opera ti ona l ri s k s ervi ces , a t IMAG, a nd ha s more tha n 30 yea rs of experi ence i n opera ti ona l ri s k ma na gement a nd ba nki ng, trea s ury a nd ca pi ta l ma rkets opera ti ons . Gene Ă l va rez i s executi ve di rector - opera ti ona l ri s k ma na gement a t JPMCha s e, a nd ha s a l mos t 15 yea rs experi ence i n ri s k ma na gement a nd ba nki ng a nd ca pi ta l ma rkets .
2 2 4 6 8 10
3 3 6 9 12 15
4 4 8 12 16 20
5 5 10 15 20 25
Heat map using the intuitive risk scale 1 2 4 8 1 1 2 4 8 2 2 4 8 16 4 4 8 16 32 8 8 16 32 64 16 16 32 64 128
where n_s is the severity risk level Where m_f is the frequency risk level
The Residual risk is then : applied to our example:
1 2 3 4 5
64 High Risk
16 16 32 64 128 256