Introduction Instructor:

Sadia Razzaq

3 days taining course on ERP-EBS Modules along with core competencies for zonal managers (OPS/ADMN)

Topic of the day:Operations Risk Management

(Concept, Measurement and management techniques)

Layout

• Concepts• Measurements • Management techniques

ConceptsHistorical perspective

DefinitionsKey terminologies

CategoriesRisk classes and their

interconnectionsDimensions

A Brief History of Operational Risk Management

• Taking the opportunity out of risk and taking the risk out of opportunity is natural. However, making that process explicit, systematic and logical – risk management – only really began with the coming of probability mathematics

• Since then areas and industries lending themselves to quantitative analysis have devised increasingly sophisticated mathematics and methodologies to determine the likelihood, impact and exposure to risks. Where data is available the results have been largely successful, but by definition the outcome of risk management is uncertain

• Further uncertainty arises in the area of operational risk due to the value of economic intangibles such as goodwill, and the volatility of interrelationships amongst the factors determining each aspect of risk and opportunity.

Cont….• Given these features, risk management remains more of an art

than a science, despite the growing body of literature classified as risk management

• In the United States the loss of the Challenger space vehicle and collapse of thrifts had an impact; in New Zealand it was the collapse of the scenic Cave Creek viewing platform. While these events were sufficiently shocking at a national level to promote the advent of recognized operational risk management processes, at an organization level

• With the rising awareness and recognition of operational risk management as such, various generic standards were published. These have been successful in providing a reference against which individual organizations can compare their own methodologies

• It is increasingly recognized that a systematic evaluation process will improve risk management approach

Cont….• The process of developing, implementing and supervising

operational risk management in banks is evolving and incomplete, however, its institutionalization had been arise as a category of regulatory and managerial attention

• Basel 2 make the connections between the management of operational risk and good corporate governance in such a way as to position old risks in new space

• The term ‘operational risk’ has been coined in 1991• Later Barings and other scandals such as Daiwa, construct the

history of operational risk management• The emerging risk management agenda is necessarily grafted on to

the existing technical agendas of different operational groups• Operational risk and the Basel 2 reforms create a new competitive

space for various control agents inside financial organizations , who re-launch what they do in the name of operational risk management

Definitions • ‘Operational risk is being the risk of losses resulting

from inadequate or failed processes, people and systems or from external events’

• ‘Operational risk is the risk that deficiencies in information system or internal controls will result in unexpected loss, the risk is associated with human error, systems failure and inadequate procedures or controls’

• Operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may result from external factors”

Key Terminologies• Risk appetite: The point of balance between risk and reward at which a

decision maker feels most comfortable.• Exposure (residual risk): Risks remaining after risk treatments have been

applied.• Inherent Risk: Risks intrinsic to a given situation prior to the application of any

alleviating or aggravating treatment.• Likelihood: A value assigned to the probability or frequency with which a

potential event is estimated to occur.• Opportunity: A potential event deemed to have a positive effect on an

organization.• Risk: A potential event deemed to have an adverse effect on an organization.• Risk Assessment: A systematic process of analysis and evaluation of risks and

opportunities.• Risk Management: The systematic and conscious understanding, organization

and treatment of risks and opportunities.• Uncertainty: Context in which an event occurs with some probability, the

distribution of which is unknown

Cont….• Operational Risk Management: The systematic assessment and

management of the trade-offs made between risk and opportunity to run an efficient and effective organization.

• System risk: The risk that a failure of a single institution could create failures elsewhere in the system because of the interconnectedness of transactions and institutions

• Operational Risk Event (ORE) : is defined as a failure of internal processes, people or systems, or a result of external events.

• Treatment: Conscious action in relation to a risk or opportunity:Reject (walk away).Transfer (split the risk with another party).Accept (take the risks & opportunities as they come).Optimize (reconfigure strategy, operations, culture, etc to maximize

opportunity and/or minimize risk).

Categories • Operational risk can be captured in five major

categories:OrganizationPolicy/ProcessTechnologyHumanExternal

The 5 suggested categories are major and they present a valid base for solving problems for management.

Cont….• Organization: risks arising from such issues as change

management, project management, corporate culture and communication, responsibilities, allocation and business continuity planning.

• Policy and Process: risks arising from weaknesses in processes such as settlement and payment, non-compliance with internal policies or external regulation or failures in products or client dealings.

• Technology: risks arising from defective hard- or software, failures in other technology such as networks or telecommunications, as well as breaches in IT security.

• Human: risks arising from failure of employees, employer, conflict of interest or from other internal fraudulent behavior.

• External: risks arising from fraud or litigation by parties external to the firm, as well as lack of physical security for the institution and its representatives.

Risk classes and their interconnections

Cont…• Reputation risk: The aggregation of the outcome of all

risks plus other internal and external factors. Reputation is the outcome of the mix of doing the right thing and doing things right over an extended period.

• Strategy risk: It deals with the existing base of a bank and its options, based on a what-if analysis. Strategy is doing the right thing at the right time. It is not so much the strategy, but implementation which in turn is Operational risk

• Operational Risk: Defined as the risk of loss or reputational damage resulting from inadequate or failed internal processes, people and systems or from external events.

Dimensions of Risk ManagementRisk management can add value and represent a valid business case

in two dimensions:• Control: Independent risk assessment, compliance, business

continuity planning, supervisory requirements, limits, progress reporting, escalation, corrections, etc. it covers the following: avoiding accidents, catching non-compliance and illegal actions, complying with rules and regulations, complying with usual management needs.

• Shareholder value creation: efficiency, correct risk evaluation and pricing, duplicate control avoidance, rational economic capital allocation, reduction of regulatory capital, product enhancements, competitive strategic advantage, improved reputation, etc. it adds a further stage which treats Operational Risk more like a real business. Operational Risk management also gets close to quality management, efficiency management and the concept of opportunity cost.

Measurements Practical instruments and

toolsModels

The data challengeQuantification of operational Risks

Software use

• Management of operations has always used some sort of tools to identify, assess, control and manage Operational Risk in its day-to-day specific area of activity. With the increased awareness of senior management for risks in general and for Operational Risk in particular, these tools have received closer attention.

• No one tool on its own is sufficient; each has its limitations. "Synchronization" of the tools combined with previously discussed, more high level approaches of general management - including audits and compliance measures - is the issue. Such an approach leads to integrated risk management.

Practical instruments and tools1. Control and Risk Self-Assessment (CRSA) is a work team-based technique to

help managers identify and measure Operational Risk through estimates based on the consensus opinion of a group of knowledgeable managers and staff. The ultimate objective of this process is to foster the identification, assessment and mitigation of Operational Risk.

• Management must clarify the relationship between the organization's primary corporate objectives and the specific business line objectives for each participating unit. These objectives can include diverse areas, as well as diverse practical applications for every department and every employee function.

• The objectives are analyzed in terms of: Threats - events that could prevent the achievement of an objective Controls - activities that provide additional assurance that objectives are met Agreed residual risk - the real or possible events or situations where a business/quality

objective is not being met or may not be met given the controls in use/place.

The information on threats, controls and risks is captured for each business objective. The information is then documented, summarized and reported to senior management. Due to the dynamic nature of a firm's risk profile, CRSA findings should periodically be updated.

Cont…2. Impact & Frequency Scorecard: In particular

Operational Risk events that are identified as having potentially significant impact can be isolated for further analysis which may include frequency estimator and investigative study. Based on the fact findings from these analytical tools, appropriate management response can then be deployed.

Following examples will explain these tools

Impact scoring system (example) cont….• Impact scoring system example

Frequency estimator (example)cont…

Cont….3. Risk and Process Mapping: Operational Risk mapping is

based on self-assessment / perception survey and is a qualitative technique to identify, categorize, analyze and assign:

• Specific risks against a standard template• Controls or other tactics to manage identified risks• Residual risks and desired levels of residual risks• Responsibility for management of identified risksProcess or activity mapping is a technique employed to

describe business processes in a clear, visible way. In the context of OpRisk, it is designed to provide a reflection of the diverse activities that take place within the departments, identifying risk drivers and controls.

Risk and Process Mapping (example) cont..

Cont…4. Operational Risk DashboardOperational Risk Dashboard is intended to provide

senior management with a simple overview of operational risk levels and directional trends at the highest reporting aggregation level per business unit. The dashboard works on the traffic light principle, grading category-aggregated risk per BU by colour. Risk indicators aggregated to categories as BU specific composites or via group-wide sub categories are evaluated and given a weighting which contributes to the overall Operational Risk category risk grade.

Operational Risk Dashboard(example)cont…

Cont….5. Loss Event Database: A loss event database captures and accumulates

individual loss events across business units and risk types. A loss event database is the only tool which measures, quantifies and provides financial Operational Risk data. An established and complete database can potentially be used for modeling purposes and be applied to external loss events.

Models 1. Factor-derived Models:These models apply causal factors to build a prediction

of the LEVEL of RISK. They tend to produce a figure for the relative future value of the causal factors on Operational Risk, but not necessarily of the operational LOSS amount. They are also considered to be only partially representative of Operational Risk root causes.

For example, they would use a combination of error rates, failed reconciliations, employee training expenditure, staff turnover, indicators of the IT system complexity, indicators for the quality of governance, etc. to project a level of OpRisk.

Cont…2. Indicator based Models:An indicator-based quantification as a possible

method for the quantification of Operational Risk and the corresponding regulatory capital allocation. The level of Operational Risk is identified by a multiple of a simple observable indicator or a combination thereof. Suggested indicators include: gross revenues, fee income, operating costs, managed assets or total assets adjusted for off-balance sheet exposures.

Cont…3. Statistical / Actuarial / Simulation-based ModelsThese models use actual loss data to construct representations of

operational loss frequencies and severity in the form of statistical probability distributions. To do this, they require many data points and have to rely on the existence of complete Operational Risk databases.

Simulation-based quantification models are very popular in the literature on Operational Risk, particularly the actuarial inspired Monte Carlo simulation technique.44 The prime reason for this is that they allow filling the data gap prevailing in Operational Risk for low probability events.

The flaw is that the present state of Operational Risk data does not allow for any backtesting of the correctness of the generated distribution. In addition, slight changes in the environment, due to the high context dependency of Operational Risk, will have a significant impact on the generated distribution. These would require reviewing the entire underlying simulation setting.

Cont…4. Loss-Scenario / Qualitative Assessment ModelsThese models produce a subjective loss estimate for a given time horizon

(say one year) and confidence level (say 99%), based on the experience and expertise of key managers. Weaker assessment forms could just require ranking of the Operational Risk level for each elements of a risk map or checklist.

Qualitative assessment models have been put forward, as they are particularly well suited for tackling both the frequent in observability of Operational Risk and its high context dependency. A purely qualitative assessment can also be turned into a quantification method.

Such methods have the advantage of enhancing transparency of the CHANGE of Operational Risk. They also allow a proactive management of the level of Operational Risk. However, as they rely on the subjective judgment of experts, they are only appropriate for a crude quantification of the Operational Risk economic capital level and Operationa lRisk capital allocation.

The data challenge• Data availability is a precondition. Activities only turn into data, if they

are recorded in a form which can be retrieved at a later stage.• The operational risk data should be available in ‘frequency’ and ‘level of

detail’• Operational Risk data should systematically collected for all departments,

business lines or clusters• Many risk areas just cannot be measured. They require judgment.

Accordingly, two types of data, qualitative data and quantitative data must be distinguished.

• it is extremely important that the information to be captured in the data is clearly defined, in terms of content, feature, unit. This is a precondition for standardization and tracking possible failures of reporting, formats, etc.

• Structured data is a key rule to success: discipline is required in allocating tags to Operational Risk data such as definition, time-, source-, organization-, frequency - references, etc. to be able to make use of them.

Cont…• it possible for data points to be combined in a reliable and

credible database system and turn them into real information.

• Data quality and its consistency over time is the issue.• Consistency of statistics is core• Relevance has to be ensured. Times do change. New

environments, new products are put in place. Constant surveys and checks of the type of data being used must be performed to avoid "white noise" or unrealistic indicators.

• Pollution of databases happens. Polluted and fake data produce not only incorrect or incomplete but also misleading indicators.

• Without maintenance, a database engine cannot run. Data must consistently be reported, loaded and updated.

Quantification of operational risksIn this exercise, we will look whether it is possible to measure each

element of Operational Risk separately or whether only a qualitative assessment can be performed.

Quantification / measurement generally involves looking at four aspects of a phenomenon within an organization:

• Its size, severity or intensity• Its frequency• Its context dependency: different in different situations• Its interaction - contagion/correlation - with other eventsSize describes the observed extent of a move.Frequency describes the number of times a move of a given size

occurs within say a given time period or a given organizational unit. Context dependency describes whether the move size is different in

different situations or not.

Cont….The lower the observability of moves in terms of size and

frequency and the higher their context dependency and interaction, the more difficult it will be to measure the Operational Risk sub-category. In such cases a qualitative assessment offers the best alternative for quantification.

"Technology" and "external risks" should allow for a database based quantification, similar to the one performed for market or credit risk.

"Organization, policy and process", however, only permit a quantification based on qualitative assessments.

Given the challenge that only relatively few elements in Operational Risk are credibly measurable and quantifiable, it is essential on the management level not to make the measurable important, but the important measurable.

Software SolutionModern IT-systems lead to New Processes. The pressure

from everywhere to invest continuously and dramatically - including in the interest of risk reduction - in modern processes is immense.

Integrated IT networks are central, especially for a global institution. Internet related technologies enable much higher and more sophisticated levels of co-ordination, globality, efficiency and flexibility.

However, they open the door for chaos and risks if they are not consistent, structured, harmonized and stable over time.

The new technologies lead to unique opportunities to modify and/or overhaul business processes as to workflow, service delivery and risk reduction

Cont….• Check Point Risk Management SoftwareIt is a software solution that allows efficient operational risk management in order

to improve business processes and performance as well as simplifying regulatory compliance.

Features:• Business Unit documentation • Process documentation and flowcharting • Risk analysis based on impact / likelihood assessment • Quantitative analysis using frequency and severity using Monte Carlo simulations • Control identification and testing • Residual risk auto-calculation • Document and manage incidents / losses • Action plans and tasks • Automated alerts • User-definable reports • Interactive and drill-down dynamic dashboards • Access and data control based on permissions

Management techniques Principles of Operational Risk

ManagementStages of Operational Risk

ManagementOrganizational models for

managing risksFrameworks for Operational Risk

ManagementInternal Control

Principles of Operational Risk Management• There are 12 Golden Rules in Risk Management. They are the

result of observations and adjustments over the years and apply to Operational Risk aspects as well.

1. Risk is uncertainty about future results.2. The 6 S's for the systematic mental discipline of an

organization: the logical sequence. Strategy structure system systems safety speed

3. Clear structure, allocation of responsibility and accountability and discipline are basic preconditions.

4. Rigorous measures in case of non-compliance/breaches.5. Completeness, integrity and relevance of

data/systems/information as a basis.6. Risk management is a tenacious process not a program.

Cont… 7. Risk management is part art, part science.8. Models are always only part of an overall risk management

approach and must include common sense.9. Complexity is the enemy of speed and responsiveness: try hard

for simplicity.10. Self-management and leadership with regard to a culture of

open communication based on "experience" and know-how are increasingly challenging: Ban knowledge-hoarders and turn knowledge-givers into heroes as part of evaluation/incentive process.

11. Responsible control/compliance/risk culture is as important as the most sophisticated quantification.

12. Successful risk management is primarily the result of the capacity, aptitude and attitude of the people involved: people shape the culture, reputation and brand equity.

Stages of Operational Risk Management

Cont…Implementing Operational Risk management implies

the progression through the following four stages Meridien Research approximates the lead time for Stage 1 to Stage 4 with a minimum of 2 - 3 years, depending on the complexity and the size of an organization. The research indicates that most of the Top 500 financial institutions worldwide are still in stage 1 and 2. A handful has attained Stages 3 and 4;

Organizational models for managing risksA survey has identified 3 generic organizational

models for Operational Risk management: • __A Head Office Operational Risk function• __A dedicated but decentralized support• __Internal Audit playing a lead role in Operational

Risk management.

Cont…• Audit driven Operational Risk ManagementIt is self-evident that auditing and controlling activities are not

reporting to those who are auditedInternal and external audits play a very relevant role, especially in

the Operational Risk arena. It is true that many conventional audits are more control-oriented or concentrating on symptoms. However, forward looking and diligent audit reports are an excellent base for operational improvements and reduction or elimination of Operational Risk: From ex-post assessments to ex-ante improvements.

The audit driven approach is the most pragmatic and readily implementable approach in Operational Risk management. As important as the audit reports themselves are the corresponding follow-ups and corrective actions by those concerned.

Cont…There is no commonly accepted benchmark or model as to the

methodology of managing Operational Risk. As to be expected in the art of management, there are arguments for both top-down and bottom-up approaches in Operational Risk management.

Frameworks for Operational Risk ManagementA common framework for Operational Risk

management for banks which has emerged recently includes integrated processes, tools and mitigation strategies. This framework has 6 components

Internal control

Three main objectives and roles of the internal control framework:

• Efficiency and effectiveness of activities (performance objectives)

• Reliability, completeness and timeliness of financial and management information (information objectives)

• Compliance with applicable laws and regulations (compliance objectives)

Cont….Internal control consists of 5 interrelated elements:• Management oversight and the control culture• Risk recognition and assessment• Control activities and segregation of duties• Information and communication• Monitoring activities and correcting deficienciesAn appropriate control and compliance culture is part

of the risk culture. This "cultural aspect“ needs close and continued attention by senior management. "Culture" is qualitative. It cannot be quantified or modeled.

Cont…Operational Risk Control: 12 General Rules as a Check List1. Have a control environment and a compliance culture which

accepts internal supervision2. Regulators' standards are continuously being raised3. Map regulatory requirements directly to compliance control.4. Organize the activities so that they can be controlled5. Construct procedures relevant for the concrete activity6. Document the procedures and maintain the relevant

documents7. Train management and staff8. Special attention for control procedures9. Compliance plays an increasingly core role for OpRisk control

Cont….10. E-commerce presents a new control/compliance challenge11. Supervisory board and senior management have an increasing

responsibility for controls and compliance: from back to board room

• 12. Procedures should ideally have the following characteristics:Single document as to rules and requirementsStructured along the activity flowComprehensiveClear: so someone else can pick it up; see staff turnover, role of temps

andConsultants Instructing: what is to be done in case of......Teachable: so it can be used as a training aid Implementable: use simple check listsAuditable

The End“Our lives improve only when we take chances- and

most difficult risk we can take is to be honest with ourselves”

Walter Anderson