Ops- Risk Presentation

8/3/2019 Ops- Risk Presentation

1/44

WORKSHOP

ONMANAGING OPERATIONAL RISK

Javed Ahmed

Risk ManagerMeezan Bank Ltd.


2/44

Operational Risk

Operational risk is the Risk of loss

resulting from inadequate or failedinternal processes, people and systemsor from external events.

includes legal risk, but

excludes strategic and reputational risk


3/44

Definition of Operational Risk

The risk of loss resulting from any inadequate or failed

internal processes or from external events

Potential orForward looking

Causal Categories:Employee BehaviourCorporate BehaviourInformationTechnologyForce Majeure

Inadequate collateralmanagementFailed matching of cash &securitiesMissed timelinesUnenforceabledocumentationInternal fraud

People and systems in the

regulatory definition arecaptured in internal process

External Fraud,Fire, Flood,Legal action,Tax, Regulations,False money,Terrorism


4/44

Why Operational Risk Included


5/44

Why Operational Risk Included

Citigroup US$70M fine for failing to comply with federal lendingregulations.

First National Bank of Keystone US$691M embezzlement & loan fraudby senior managers

Bank of America US$490M lawsuit settled for failure to adequately 3rdparty relationships at the time of merger with Nations Bank

Legal settlements by several firms for unfair business practices.

Providian US$300M, FirstUSA US$40M, Advanta US$7.2M, SearsUS$36M.

CIBC paid US$25M penalty to SEC and USD100MM restitution tocustomers for rapid trading and market timing of hedge funds

August 05 Arab Bank New York Branch USD24MM penalty for failingto properly implement anti-money laundering controls.

August 05 CIBC - USD2.4B settlement with University of California forlost investments. Two CIBC executives have also paid personal fines fortheir role in the fraud.

August 05 Merrill Lynch - $37MM settlement with stockbrokers not paidproper overtime.


6/44

SBP Penalty

Fraud, Forgery and Dacoity Cases

No. of Cases: 62 (2006-09) No. of Outstanding Cases: 23

Amount involved in outstanding cases: Rs. 163 million

Amount outstanding: Rs. 84 million

Nature of Cases Issuance of cheque book on forged requisition slip

Fraudulent withdrawal/ Forged cheque

Mis-appropriation of security deposit

Pocketing of deposits

Opening of fake account and transfer of money Fraudulent withdrawals through internet banking/ ATM

Fake property documents

Issuance of Fake deposit slip

Dacoity


7/44


8/44

MinimumCapital

RequirementRisk-weighted

Exposures

Market Risk

No Change MajorChanges

New elementadded

Risk of losses in on andoff balance sheet

positions arising frommovements in market

prices

Credit Risk

Potential that a bankborrower or

counterparty will fail tomeet its obligations in

accordance with agreedterms

OperationalRisk

Risk of direct or indirectloss resulting from

inadequate or failedinternal processes,

people and systems orexternal events

Basel IIEvolution of Ops Risk


9/44

Defining & Understanding Operational

Risk


10/44


Risk


11/44


Risk


12/44

Incident Definition

Cause Event Effect

An actual event resulting from inadequate or failedinternal processes or from external events which has,could, or could have, led to a loss, a gain, or anopportunity cost


13/44

Risk Drivers and Indicators

Drivers

Transaction Volume

Staff TurnoverMarket Volatility

Training hours vs.

planProduct complexity

Indicators

Transaction errors

Aged confirmationsReconciliation

Audit points

outstandingSettlement fails

Operational loss


14/44

Operational Risk Loss Event Types

Operational Risk

Internal Fraud External Fraud Employment ClaimsTransaction

Processing Errors /

Omissions

Business disruption

and system failures

Damage to Physical

Assets

Clients & Third Party

Claims

Unauthorized Activity

Theft and Fraud

Theft and Fraud

System Security

Employee Relations

Safe Environment

Diversity &

Discrimination

Suitability, Disclosure

& Fiduciary

Improper B usiness or

Market Practices

Product Flaws

Selection,

Sponsorship &

E x o su re

Advisory Activities

Disasters & Other

Events

SystemsTransaction Capture,

Execution &

Maintenance

Monitoring &

Reporting

Customer Intake &

Documentation

Customer / Client

Account Management

Trade Counterparties

Vendor & Suppliers

Risk categorization scheme divides operational risk into seven major risk

types and twenty sub risk types.


15/44

Basel II - Loss Event Types DefinitionsLevel 1 Categories Definition

Internal Fraud Losses due to acts of a type intended to defraud, misappropriate property

or circumvent regulations, the law or company policy, excluding diversity/

discrimination events, which involves at least one internal party

External fraud Losses due to acts of a type intended to defraud, misappropriate property

or circumvent the law, by a third party

Employment Practices andWorkplace Safety

Losses arising from acts inconsistent with employment, health or safetylaws or agreements, from payment of personal injury claims, or from

diversity / discrimination events

Clients, Products & Business

Practices

Losses arising from an unintentional or negligent failure to meet a

professional obligation to specific clients (including fiduciary and suitability

requirements), or from the nature or design of a product.Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster

or other events.

Business disruption and

system failures

Losses arising from disruption of business or system failures

Execution, Delivery & Process

Management

Losses from failed transaction processing or process management, from

relations with trade counterparties and vendors


16/44

Loss

Gain

Opportunity Cost

Near Miss

(Undetermined)

Individual Behaviour

Organisational & Corporate Behaviour

Information Technology

External Banking Environment

Non Banking External Environment

Internal fraud

External Fraud

Employment Practices & Workplace Safety

Clients, Products & Business Practices

Business Disruption & Systems FailuresExecution, Delivery & Process Management

Damage to Physical assets

Regulatory & Compliance

Legal Liability

Loss/Damage to Assets

RestitutionLoss of Recourse

Write- Off

Incident Types

Effects TypesCategories of Event Types

Incidents Causes Types


17/44

Managing Operational Risk

Risks can not be mitigated 100%, but they can bemanaged within appropriate tolerance levels

Identification, measurement, monitoring andcontrolling


18/44

Operational Risk Management Principles

1

2

3

Board sets strategy and framework plus oversight

Framework subject to effective and comprehensiveinternal audit.

Senior Management responsible for implementing theFramework

Developing an Appropriate RiskManagement Environment

4

5

6

7

Identify & Assess Risks in Products, activities,

Processes systems by RCSA. and KRIs etc

Monitor Risk Profiles and Losses KRIs

Policies, Processes and Procedures tomitigate Risks

Contingency and Business ContinuityPlans.

Risk Management: Identification,measurement, monitoring and control

8

9

Ensure Banks have effectiveframework in place

Regular evaluation ofstrategies policies, procedures& practices

Role of Supervisors

10 Public disclosure of riskexposure & quality of

management

Disclosure


19/44

Governance Structure

BOD/ Board Risk Committee

Operational Risk Management Committee

Head of Risk Management

Risk Management Department

Unit RiskManagers

Risk Manager

Market Risk Operational

Risk

Credit Risk

Risk Manager

Depends on size of the organization(all risks vs. specific risks)

Mandate defines membership /authorities / responsibilities

Ultimate responsibility for all riskslies with business units

Risk managers provide tools andguidance in managing risks

Governance models and reporting lines vary given below is themost common risk governance structure


20/44

Framework Overview

Governance

Modelling

ReportingB

usinessStra

tegy

Indep

endentAssurance

Policy &Guidelines

Risk Mgmt.Committees

Risk UniverseCategorisation

Scheme

Tools

key Risk &Control

Indicators

Risk & ControlSelf -

Assessments

Internal LossData

External LossData / Scenario

Analysis

Operational RiskCredit Risk Market Risk


21/44

Operational Risk Framework Components

Operational

Risk

Operational

Loss Data

Key Risk

Indicators

Risk & Control

Self-

Assessments

Employee ClaimsClient & Third

Party Claims

Damage to

Physical AssetsInternal Fraud External Fraud

Business

Disruption &

System Failures

Transaction

Processing

Errors/ Omissions


22/44

Assessing Operational Risk Exposure

Process of Continuous Risk Assessment, Monitoring and

Reporting

Reporting

Mitigation Planning

& Execution

Measuring/

Monitoring

Likelihood and

Severity

Control

Assessment

Risk

Identification


23/44

Operational Risk Management Tools

Control and Risk Self Assessment

Key Risk Drivers and Indicators

Loss Data

Issue and Event DataAudit and Compliance Reports

Scenario Analysis


24/44

Self Assessment Methodology

There are three main parts to risk & control self assessment (selfassessment), namely

risk identification,

risk assessment and

control evaluation.


25/44

Risk & Control Self Assessment

Define Objectives

Identification of risks that could inherently impactachievement of objectives,

Impact (Low to Very High)

Likelihood (Unlikely to Frequent) Identification of Controls mitigating risks

Design

Performance

Assess residual risk (Inherent Controls = Residual)

Develop action plans


26/44

Risk & Control Self Assessment

Objectives Level of granularity Generic or specific or a combination of bothRisks Open discussion on risks Cultural issues Bosss view is the right view

Controls

Key Controls VS Controls Control weighting Design VS PerformanceInherent Risk Difficult concept to digest but critical Impact / Likelihood estimation still subjective Developing Grids Granularity and Scale

Residual Risk How much risk is mitigated by controls Impact / Likelihood estimation Developing Grids Granularity and Scale


27/44

Risk assessment A typical risk profile


28/44


29/44

Why KRIs Are Important?

Indicators are not easy to do however,running a business withoutindicators is the same as driving a motor vehicle on a longjourney without a fuel gauge, a speedometer or engine/oiltemperature gauges you simply would not contemplate indoing so.

KRIs identify areas of greater concern or exposure to the firm andare a means of provide management focus where it is neededmost.


30/44

Why are they important?

Risk managementthe ability of KRIs to predict potential riskhotspots can help a franchisee avoid or minimise losses;

KRIs help identify process and/or control weaknesses and thus

enable action to be taken to strengthen controls and resolve

issues; and

targets for KRIs can be set to drive behaviour and desired

outcomes for the entity.

Regulatory complianceidentification and management of KRIs is

an area of regulatory focus; and


31/44

KRI Identification

Sources & Methods

Historical LossEvents

Losses

Near Misses

Claims

Risk andControl Self-Assessment

ProcessMapping

Risk and

ControlIdentification

ControlEffectivenessTesting

Internal &External AuditFindings

Audit Reports

OutstandingAudit Issues

RegulatoryInspectionFindings

Market DrivenRisks

RegulatoryRequirements

BusinessIntelligence

Short

Approach


32/44

KRI - Identification

You are the Pilot of your business unit you are monitoring all the

indicators required to have a safe flight

1) List down top 5-10 risks your department manages on adaily/weekly/monthly basis

2) List down ALL reports produced as a summary of daily/ weekly/monthly activity for the reviewer

3) List down ALL reports produced as a summary of activities for

management reporting

Maker Checker ReviewerManagement

Reporting


33/44

Sr. No. DESCRIPTION OF KRI MEASUREMENT

1 Physical damage to ATM per year

2 Discontinuity of operation per day (ATM, Call Centre, Internet Banking)

3 Number of frauds on ADC per month

4 Number of incomplete processing of transactions per day

1 Number of exceptions of SBP guidelines per month

2 Number of non-compliance of internal guidelines

3 Number of NPL accounts per year

4 Number of policy / guidelines exception cases which subsequently lead to default

5 Number of cases rejected : total cases approved

6 Number of cases w here financials and/or risk rating is unavailable

7 Number of overdue / classified accounts to Total accounts

8 Number of new customers made in a month to total customers

9 Number of approvals made beyond delegation matrix

- Deadline/Compliance based Circulars

- Non-Deadline/Information based Circulars

- Deadline/Compliance based Circlulars

- Non-Deadline/Information based Circulars

3 Number of late / w rong/ incorrect submission of returns to SBP per month

4 Number of suspicious/ AML transactions in the month

5 Number of anti-money laundering transactions not monitored by Compliance but

subsequently detected per quarter

6 Number of polices not reviewed/ revised during last three years

2

ALTERNATE DISTRIBUTION CHANNELS

COMMERCIAL & SME

COMPLIANCE

1

Number of circulars issued by SBP circulated to wrong departments per month:

Number of circulars issued by SBP w hich w ere not circulated internally per month:


34/44


35/44

Sr. No. DESCRIPTION OF KRI MEASUREMENT

1 Number of cases w here annual review w as not performed

2 Number of NPL accounts per year

3 Number of exceptions of SBP regulations / guidelines4 Number of policy / guidelines exception cases w hich subsequently lead to default

5 Number of cases rejected : total cases approved

6 Number of cases renewed after expiry per month

7 Number of cases w here financials and/or risk rating is unavailable

8 Number of overdue / classified accounts to Total accounts

9 Number of total cases processed to cases received in a month

10 Number of new customers made in a month to total customers

11 Breaches in delegation of authority limits

12 Customer calls due but not conducted in a month

1 No. of employees w ho did not avail mandatory leaves in a year

2 Number of employee leaving w ithin 1 year service w it the Bank

3 Number of employees terminated in a quarter

4 Employee absenteeism rate in the month

5 Number of employees w hose Job description were not available

6 Number of cases w here antecedent of new joiners not obtained

7 Number of vacant positions

8 Percentage of staff appraisal below satisfactory

CORPORATE FINANCE

HUMAN RESOURCES


36/44

Loss Data

Pinpoints actual areas of control failures

Highlights cost of operational risk

Losses should be assigned to the business areaswhere they originated

Data required for modelling Operational Risk

Capital requirement.

Both internal and external loss data can be utilised


37/44

Internal Loss Data

Apply a minimum reporting threshold E.g. Losses> Rs. 5000

Make sure you record at least the 4 Ws (What,

when, where, why)

Allocate losses to correct business line and riskcategory.

Ensure that you can revise the individual losses torecord recoveries

Include all losses !


38/44

Regulatory

BusinessLines

Corporate Finance

Operational Risk Categories

Trading & Sales

Retail Banking

Commercial Banking

IF EF EPWS CPBP DPA BDSF EDPM

Regulatory Framework

Retail Brokerage

Asset Management

Agency Services

Payment & Settlement


39/44

Scenario Analysis

Apply some formal real world what if

analysis to your processes

Highlight control weakness before itresults in losses

Stress test identified points of failure totest resilience

Test again to ensure mitigation is working


40/44

Roles & responsibilities

Control owner roles and responsibilities

ensuring effectiveand efficient

control design tomanage the impact

and likelihood of

the riskanalysis of this

data conversioninto indicative

information

sourcing andcollating relevant

data concerning the

performance ofcontrols

effectiveperformance of

control activities asdesigned

creating andimplementing

corrective actiondriven by the risk

information

identifying andassessing the

appropriatenessand effectiveness

of controls


41/44

Roles & responsibilities

Risk owner roles and responsibilities

to identify, regularlymaintain and

communicate up todate risk

information

sourcing, collatingand analysingrelevant data

indicating

movements inimpact and

likelihood of risk;

reportinginformation to the

appropriateindividuals / forums

/ committees;

creating andimplementing

appropriate actiondriven by the

information;

ongoing monitoringof risks for changes

in their impact orlikelihood

ensuring effectiveimplementation ofrisk management

action plans.

identifying and

assessing theappropriateness

and effectivenessof controls

G Ri k C i i


42/44

Governance - Risk CategorizationEvent Categories

Internal Fraud

External Fraud

Employment Practices &Workplace Safety

Clients, Products &Business Practices

Damage to PhysicalAssets

Business Disruption& System Failures

Execution, Delivery &Process Management

Causal Categories

People Risk

Process Risk

Technology Risk

External Events Risk

Organization could develop its own or

adopt what is availableneed to

map

Challenges

Neither categorization works ideally for

all tools in operational risk framework

Event categories good for loss data,

scenarios & risk measurement - causalcategories good for RCSA and KRIs

Using different categories for different

tools could make aggregation of results

difficult

Benefits

Provides a common risk language within

the organization

Facilitates participation in industry data

consortiums

Facilitates regulatory reporting

Consistent use across risk tools willfacilitate data aggregation

Basel II & Industry


43/44

Problems and Practicalities

Risk based culture and continued management support.Business Line Buy-in and Resources.

Coordination with Existing Control Initiatives

KRIs focussed on performance.

Loss data collection.

External loss data availability.

Real world scenario analysis.

Access to Appropriate Information and Reporting.

System Support.


44/44

Thank You

Q &A

Documents

Ops- Risk Presentation