View
272
Download
2
Embed Size (px)
Citation preview
1
On24 Tech Tips
• Make sure your speakers are on• Hit F5 any time your console freezes• For a LIVE event you should be hearing music now• Use the “Ask a Question” feature to report issues• Webcast starts at the top of the hour
Presented by:
Brenda BoultwoodSVP, Industry SolutionsMetricStream
Mike FinlayChief ExecutiveRiskBusiness International Limited
August 27, 2015
GARP Webcast
Integrating Operational Risk Management into an Enterprise Risk Framework
2
Mike has over 30 years’ experience in banking and finance, having started out pricing equity derivatives on the Johannesburg Stock Exchange. The majority of his career has focused on risk, specifically in the middle- and back-office environment. He has been responsible for establishing new business departments in the derivatives area, restructuring international payments businesses, developing regulatory banking law and implementing risk management frameworks in both international banking firms and in large corporate’s. He developed the initial risk management framework for the Bond Market Exchange of South Africa and led the integration of all trading and financial risk management activities across a leading mining and industrial conglomerate, while on the insurance side, Mike worked with insurance companies in developing an operational risk methodology to support the requirements of Solvency II. Mike led the development of the KRI Framework underlying the KRIeX.org KRI Library, the development of the KRI Library itself and has worked on the development of loss data consortium requirements for several national and regional banking associations and consortia. Mike led a large multi-million Euro project in the area of risk and control self-assessment, has led scenario-based ICAAP assessments, assisted firms in achieving AMA accreditation and recently assisted a leading Western European regulator conduct their periodic AMA accreditation review programme. Part of the focus on risk has included technology, risk assessment and training. Mike is a frequent lecturer on operational risk for banking supervisors at the Bank for International Settlements, as well as at industry conferences and seminars. Mike is a regular guest lecturer on risk management at Judge Business School, Cambridge University, as well as at the University of South Africa (UNISA). He has worked with the World Bank/IFC in the Russian Federation and across Eastern Europe, as well as with the Financial Services Volunteer Corps and the BIS’ Financial Stability Institute in ongoing risk management education and knowledge transfer in Europe and Africa. Mike obtained a Bachelor of Commerce degree from the University of the Witwatersrand, Johannesburg and read for a MBA from Henley Management School/Brunel University through the Graduate Institute of Management and Technology in South Africa. He is a Fellow of the South African Institute of Bankers, a Director, Vice Chair and Fellow of the Institute of Operational Risk, a member of the Association of Certified Fraud Examiners and a Charter Member of Risk Who’s Who. Mike was recognized in January 2009 by OpRisk & Compliance magazine as one of the “Top 50 Faces of Operational Risk” and was responsible for Riskbeing awarded one of ten “Ten Years of Operational Risk Achievement Awards” for its work of risk content and taxonomies.
Mike Finlay, Chief Executive, RiskBusiness International Limited
3
Brenda Boultwood is Senior Vice President of Industry Solutions at MetricStream. Before joining MetricStream, Brenda was Senior Vice President and Chief Risk Officer for Constellation Energy where she led risk management activities for Constellation Energy and its businesses, including defining and assessing enterprise-wide business risks and facilitating proactive decision-making to effectively manage the risks associated with each business line.
Prior to joining Constellation Energy, Brenda served in a number of roles at JPMorganChase, including serving as head of risk management for their Treasury Services business. Prior to that, Brenda served as head of market risk, counterparty credit risk and operational risk management at Bank One Corporation. Brenda also worked with PricewaterhouseCoopers as a senior manager in its Financial Risk Management Consulting Practice and was employed with Chemical Bank Corporation as a financial engineering associate. In addition, she spent six years teaching in the University of Maryland’s Master of Business Administration program.
Brenda was a member of the CFTC Technology Advisory Committee, and serves on the Boards of Committee of Chief Risk Officers (CCRO). She previously served as Board Member of Global Association of Risk Professionals (GARP). She earned a Ph.D. in economics.
Brenda Boultwood, MetricStream
4
Enterprise Risk Management (ERM)
• COSO definition: enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
• Covers all eight recognized risk types:• Strategic Risk• Business Risk• Credit Risk• Market Risk• Operational Risk• Liquidity Risk• Insurance (Perils, Underwriting) Risk• Environmental Risk
5
Operational Risk Management (ORM)
• Basel II definition: the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk.
• Business definition: any actual or potential adverse or unexpected impact upon a business arising from any aspect of its business other than from pure market risk, credit risk or liquidity risk.
• Issues:• Boundaries with other risk types, embedded into all other risk types• No direct correlation to volumes, market volatility, economic cycles or
other easily quantifiable factors• Direct link to the “human factor”• The business intuitively accept it as part of “business as usual” and
have difficulty in understanding the “regulatory” rationale behind elevating it to a distinct risk type
6
Proliferation of forms of Operational Risk
• ORM accepted as including errors, system issues, legal issues, process failures, natural disasters and fraud, other forms often considered separate risk “types”.• Compliance – actually the risk of non-compliance, which is either a
people or process issue• Reputation – actually measures the impact or consequences of other
risk types, mainly of operational risk manifestation• Information Security – the risk of loss of data (error, process failure or
theft), missing data (process failure) or corruption of data (error, process failure or system issue)
• Conduct – the risk that staff misbehave, fail to follow procedures or that the firm has adopts inappropriate business practices (people or process failures) – also referred to as People risk
• Culture – the risk that the firm has an inappropriate culture (people, process failure, management)
• Business continuity – the risk that a natural disaster causes business disruption (systems issues, external factors)
7
Cross-over between risk types
• Consider the 2012 Fukushima Daiichi disaster in Japan:• Overt cause: earthquake which triggered a tsunami which caused
structural damage to nuclear plant, power outages which affected cooling and contamination of water supplies, preventing cooling, all leading to a nuclear incident
• Overt classification: operational risk• But:
• During original construction phase, engineers were aware that sea defence walls were not high enough to counter known probable sea levels, but were left due to cost implications
• Primary control failure: inadequate sea defence walls• So:
• Actual risk type: business risk
8
Cross-over between risk types
• Consider the 2010 BP Deepwater Horizon oil spill in Gulf of Mexico:• Overt cause: pressure in well caused safety collar to rupture, leading to
a spill measured around 1,000 barrels per day, with massive environmental damage
• Overt classification: operational risk• But:
• In all other fields, BP employed multiple safety collars• Multiple engineer reports reflected concern about strength of steel
used, cement mixture used, number of collars and centralizers, all reduced to save costs and time
• So:• Actual risk type: business risk
9
An ethical dilemma
10
Three lines of defense
• The three lines of defense model is actually not a risk model, it is a governance model.• It focusses on the governance structure of the firm, who is accountable
for what and how accountability is delegated across the firm’s structure• As a consequence of appropriate delegations and limits on delegations,
risk is managed at the appropriate point within risk appetite tolerances• A sound three lines of defense model is risk agnostic and supports
ERM:• Line 1 is the business and its immediate support functions• Line 2 provides direction, oversight and challenge (#OCD)• Line 3 is responsible for independent assurance
• A core function of the three lines of defense model is the establishment and functioning of accountable governance forum, which in turn report back to the delegant of authority.
11
Unite Multiple Perspectives on Risk Assessment
Visualize the Process and Associate Risks at Each Process
Step
GRC Platform
Business Process Modeling Capability
Inherent in Federated GRC Platform
Third Party Risk
Technology RiskLegal Risk
Human Capital Risk
Geo-political Risk
BCM RiskProcess
Related Risk
Visualizations of Various Risk Perspectives aligned with the Business Process
Reputational Risk
Accounts Payable Process
12
Integrated Enterprise Risk Framework
Risk and control assessment of end-to-end business processes:
• Business unit owned • Incorporates integrated functional input in identification and
quantification of risks
Standard libraries of risks and controls ensures consistent methodology and facilitates aggregation by common attributes:
• Risk identification • Risk severity and importance ratings • Control effectiveness ratings
Improved risk identification and control monitoring:
• Facilitates risk aggregation across business units, functions
and the enterprise • Controls evaluated once and leveraged by other linked
functions and processes • Highlights interdependencies between risks and controls
spanning numerous processes and functions
13
Implementing an Effective Risk Management Approach
• Centralised, Integrated risk framework• Same vocabulary, same rating scales, a single risk taxonomy ensuring consistency • Streamlined process for assessment, analysis, mitigation
• Access to structured risk information & risk intelligence• Better understanding of risk profiles
• Integrate risk management into decision making and strategic planning• Centralized view of risks aligned to corporate strategy & objectives • Real-time information for decision making process• A robust board level reporting and review process
• Streamlined framework and an integrated GRC system approach• Build a strong risk culture - alignment among different units, processes• Enterprise-wide visibility and control
A technology solution serves as the foundation for the company’s enterprise-wide risk and control activities
14
Common Data Objects
Risk Data Model: Universal and Consistent
Organization
Risk
Control
Area of Compliance
Requirement
Standard
Regulatory Body
Objectives
Financial Account
Function
Question / Procedure
Reference
Process
Product
Asset
Asset Class
Evidence
Exception
Risk AssessmentsRisk
Assessment Plan
Risk Assessment
Assessment Factor
Perspective
IssuesIssue
Action
IncidentsIncident
Investigation
Regulatory Alerts
Regulatory Review
Regulatory Alert
MetricsMetric
Metric Data
Loss EventsExternal Loss
Internal Loss
Compliance TestingSelf-
Assessment / Test Plan
Self-Assessment
Certification
Test
Scenario Analysis
Scenario Workshop
Scenario
Scenario Response
15
Risk Intelligence for Business Performance
GRCProcesses
Risk Assessments
Internal &External Data
Risk Metrics,KRIs / KPIs &
Business Objectives
Reporting & Analytics
External Feeds(Regulatory Updates,
Social Monitoring, etc.)
Control Tests
Policy Management Surveys
Self Assessments
Monitoring
Audits
Issue Management
ContentOrganizational
Data
Loss Data
Severity Frequency
Severity
Plug ‘n Play Analytics
Threats &Vulnerabilities
(Servers/Computers/Mobile/Cloud Assets)
Advanced Data VisualizationsReport & Dashboarding
Heat MapsBusiness ObjectivesKRIs, KPIs
16
Communication of Top Risks, Emerging Risk and Strategic Risks
To build and maintain an effective risk management framework, a company must continuously evaluate the risk landscape
• Top risks are highlighted to ensure that executive management is focusing on the priority risks to the company
• Emerging risks are identified based upon new systemic, political and market factors, as well as other current events
• Strategic risks assess underlying emerging and systematic risks incorporated in the strategic plan that could derail the strategy and business plan
By understanding the enterprise risk factors, a company can develop strategies to optimize controls, improve performance and reduce the
negative impacts to the business
17
Adopt an Integrated Approach to ERM
• A centralized risk framework to ensure consistent risk information is maintained across the organization• Common Risk, Control, & Process Libraries
• Classify & categorize risks, assign owners• A single risk taxonomy across the organization• Identification, sharing and mapping of cross organizational risks• Linking of Priority Risks to Strategic Plans
• An integrated risk framework to identify, assess and mitigate risk data elements • Risk register to document all risks and related events• Assess and Analyze risks based on various factors
• Calculate risk metrics and KRIs• Set risk appetite and thresholds• Correlate, analyze and visualize risks
• Integrated issues tracking & mitigation
18
Technology IS the “differentiator”
Enhance Risk Strategy Embed Risk Management
• Build two way communication• Generate risk intelligence for top
management• Implement a common risk framework
• Program manage an enterprise wide risk and compliance program
• Define Risk Appetite at multiple levels of the organization
• Stress Testing to validate risk tolerance• Coordinating risk reporting cycles
• KRI tracking by business lines• Automated of planned self-assessments • Control design and implementation
effectiveness • Continuous updating of risk and control
metrics
• Integrated risk management training and awareness
• Standardized reporting and monitoring• Reducing redundancy while increasing
coverage• Communicate risks across the business
Improve Control and Processes Optimize Risk Management Functions
19
Solution Architecture
AlertsSecurity Dashboards/Analytics Offline BriefcaseIntegration Engine
Infrastructure
Core Foundation Components
Technology Platform
Risks Controls Processes Assets Organizations Regulations
Documents
Content
• Assessment• Mitigation• KRIs• Heat Maps
Risk Mgmt• Self Assessments• Control Testing• Surveys• Certifications
Compliance Mgmt• Annual Planning• Audit Planning• Audit Execution• Audit Reporting
Audit Mgmt• Issue Tracking• Assessing Severity• Monitor Remediation
Issue Mgmt• Policy Management• Loss Management• Vendor Management• Credit Asset Review …
Other Products…
Regulatory Compliance
Managing Sanctions and Agreements
Anti-Bribery Program
Supplier GovernanceCorporate Ethics IT Governance
Esta
blis
hEx
tend
Sust
ain
Application Studio
Forms Data Process Standards/Templates
Compliance Online
Content Community Alerts and FeedsLeve
rag
e
AppExchange
20
Enable Informed Decision Making Process
• Advanced Analytics for decision-making• Better understanding of risk profiles
• Effective monitoring and communication• Integrate risk assessment into management decision-making
• Leverage risk assessment results to enhance controls or the risk acceptance• Enabling decision makers to quickly determine the potential impact of risk and develop action
plan• Powerful dashboards, charts and heat maps provide real-time information, strengthen
transparency into risk and control management• Monitor risk values vs. threshold values• Perform trend analysis • Conduct what-if & scenario analysis • Aggregate and monitor exposures across counterparties, lines of business, etc. • Graphical dashboards and board level scorecards
21
Operational Risk Management: Key Strengths
• Flexible and adaptable Risk and Control framework
• Based on industry standards such as ISO, COSO, COBIT Standards etc.
• Quantities and Qualitative Risk Assessments, Scenario modeling
• Advanced Risk Modeling capabilities
• Visualization, mitigation strategies, risk relationships & scoring
• Internal and External Loss event management
• Event recognition, investigations and remediation
• Key Risk Indicators (KRIs) for tracking risk metrics and thresholds
• Automated notification when thresholds are breached
22
Best Practices – Stress TestingCreating a culture of risk awareness®
Global Association ofRisk Professionals
111 Town Square Place14th FloorJersey City, New Jersey 07310U.S.A.+ 1 201.719.7210
2nd FloorBengal Wing9A Devonshire SquareLondon, EC2M 4YNU.K.+ 44 (0) 20 7397 9630
www.garp.org
© 2015 Global Association of Risk Professionals. All rights reserved.
About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies, academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®) exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for professionals of all levels. www.garp.org