09_01_2015_operational_risk_management.pptx

IEEn 573Risk

Management

Evelyn M. EviotaSept. 01, 2015

What have we learned last 08/18/15:1. Different types of Financial Risk: 1.1 Market risk - types - factors that influence - management 1.2 Credit risk - forms - management

OPERATIONAL RISK MANAGEMENT

Operational Risk:- the risk of losses resulting from inadequate or failed internal processes, people & systems or from external events.

Operational RM vs ERM:Enterprise risk management (ERM) - focuses on ensuring

that an organization manages the uncertainty that exists around the achievement of its objectives.

Operational risk management (ORM) - is focused on managing the risks that appear during its day-to-day activities of actually executing the organization’s strategy.


Categories of Operational Risk:1

- the banking and insurance industries categorized operational risk based on the “Basel and Solvency Approach” and although these are designed for financial institutions, the great majority are not unique to the financial industry and can provide a good framework for addressing operational risk in any industry. The “Basel & Solvency” approach breaks down operational risk into seven (7) major categories, 18 secondary categories and 64 sub-categories.

1 Basel Committee of the Bank for International Settlements (BIS) &

Solvency Committee of the Int’l Association of Insurance Supervisors (IAIS)


The categories of operational risk per BIS & IAIS:1. Internal Fraud

a. Unauthorized activities a.1 transactions not reported (informational)

a.2 transaction type unauthorized (with monetary loss)

a.3 mismarking of position (international)b. Theft & fraud

b.1 fraud/credit fraud/worthless depositsb.2 theft/extortion/embezzlement/robberyb.3 misappropriation of assetsb.4 forgery


b.5 check kitingb.6 smugglingb.7 account takeover / impersonationb.8 tax noncompliance/evasion (willful)b.9 bribes/kickbacksb.10 insider trading

2. External Fraud a. Theft & frauda.1 theft/robberya.2 forgerya.3 check kiting


b. System securityb.1 hacking damageb.2 theft of information (with monetary loss)

3. Employment practices a. Employee relations

a.1 compensation, benefits, termination issuesa.2 organized labor activities

b. Safe environmentb.1 general facility (e.g., slip and fall)b.2 employee health & safety rules, eventsb.3 worker’s compensation

c. Diversity & discriminationc.1 all discrimination types (racial, sexual,

orientation, religions, etc.)


4. Clients, products & business processes

a. Suitability, disclosure and fiduciarya.1 fiduciary breaches/guideline violationsa.2 suitability/disclosure issues (Know Your

Customers, etc.)a.3 retail consumer disclosure violationsa.4 breach of privacya.5 aggressive sales

a.6 account churning (excessive buying & selling of securities by a broker to

generate commission)a.7 misuse of confidential informationa.8 lender liability


a. Suitability, disclosure and fiduciarya.1 fiduciary breaches/guideline violationsa.2 suitability/disclosure issues (Know Your

Customers, etc.)a.3 retail consumer disclosure violationsa.4 breach of privacya.5 aggressive sales

a.6 account churning (excessive buying & selling of securities by a broker to

generate commission)a.7 misuse of confidential informationa.8 lender liability


b. Improper business or market practices

b.1 antitrustb.2 improper trade/market practicesb.3 market manipulationb.4 insider trading (on firm’s account)b.5 unlicensed activity

c. Product flawsc.1 product defects (unauthorized, etc)c.2 model errors (poor design)

d. Selection, sponsorship & exposured.1 failure to investigate client per guidelinesd.2 exceeding client exposure limits


e. Advisory activitiese1. disputes over performance of advisory

activities5. Damage to physical assets

a. Disaster & other eventsa.1 natural disaster loss a.2 human losses from external sources

(terrorism, vandalism6. Business Disruptions & System Failures

a. Systemsa.1 hardwarea.2 software & middleware


a.3 telecommunicationsa.4 utility outage/disruptions (failure in

business continuity7. Execution Delivery & Process Management

a. Transaction capture, execution & maintenancea.1 miscommunicationa.2 data entry, maintenance or loading errora.3 missed deadline or responsibilitya.4 model/system mis-operationa.5 accounting error / entity attribution errorb. Monitoring and Reportingb.1 failed mandatory reporting obligationb.2 inaccurate external report (loss incurred)


c. Customer Instate and Documentationc.1 client permission / disclaimers missingc.2 legal documents missing / incomplete

d. Customer/Client Account Managementd.1 unapproved access given to accountsd.2 incorrect client record (loss incurred)d.3 negligent loss or damage of client assets

e. Trade Counterpartiese.1 non-client counterparty performancee.2 miscellaneous non-client counterparty

disputesf. Vendors and Suppliers

f.1 outsourcingf.2 vendor disputes


Three (3) main activities that executives must engage in to manage their operational risks are:

1. Establish clarity around objectives, roles and responsibilities.

2. Align resources to deliver excellent performance. 3. Develop capabilities to handle unexpected or

uncontrollable factors. For those risks that are outside of the expected range or are imposed on the organization by external forces, the management stance shifts from one of prevention and control to one of readiness and resilience.


Seven (7) Steps in Operation Risk Assessment:1. Clearly define the objective. 2. Understand the performance drivers.3. Understand the risk drivers. What factors drive

uncertainty around achieving objectives?4. Identify the factors most likely to impact

objectives.5. Estimate the size of the impact.6. Select the significant few.7. Identify the underlying assumptions.


Tools that can be used to Assess O.R.1. The Bowtie Model

- is used to map out the progression of a risk from underlying cause, to risk event, to consequence.


In using the Bowtie model, one has to understand first: a. A risk factor - also called a cause or issue or underlying condition, is the precursor of a risk event.b. A risk event - also called a problem or opportunity, occurs when a risk becomes manifest.c. A consequence - also called an outcome, results when a risk transcends from possibility to actuality.


The bow is divided into:a. The Middle – or the knot of the bowtie

represents an event with the potential to affect the achievement of objectives.

b. The left half of the bow - represents the underlying conditions or causes that trigger the event, including any prevention capabilities that are in place.

c. The right half of the bow - represents what unfolds after the event occurs, including any mitigation capabilities that are in place and the consequences of the event in terms of the ultimate impact on objectives.


Example:


- The Bowtie model can be used in a proactive way to delineate the root causes that may lead to a risk event and the potential impacts the risk event may have on the achievement of objectives.

- It helps to draw the direct link from cause, to risk event, and to consequence.

- Can also be used as a learning tool after an incident whether the event results in downside effects on objectives or is only a “near miss.” The learning is gained by comparing the expected performance of the prevention and mitigation plans against their actual performance. This comparison will reveal risk treatments that are not effective and will also provide insight into how they might be enhanced to manage risk to a tolerable level.


II. The “5 Whys” - is a question-asking method that can be used to explore the cause-and-effect relationships underlying a particular risk event or problem. - to use the 5 Whys method, one starts with the risk event and asks “Why did (or would) this happen?” and then repeats the question until the root cause(s) is revealed. - it usually doesn’t take much digging to get the root cause(s) of a risk event. - the key with the 5 Whys method is to keep asking Why until you get to the underlying, root cause(s), which studies have shown is generally a combination of failures or weaknesses in the organization’s system of mgmt. and business practices. It may take from three to seven Whys to get to a systemic weakness.


Example:Fatal vehicle accidents (the problem)* Why?—Tires failed (first why).* Why?—Quality of tires not up to standard (second why). * Why?—As a result of cost reduction measures, there was a switch to a lower cost supplier of materials, which led to a reduction in the quality of tires (third why). * Why?—Changes to supply arrangement made exclusively on cost considerations, not on quality (fourth why). * Why?—Risk not factored into quality assurance processes around new suppliers (fifth why).


How to Effectively Manage Operational Risk:1. Identifying and quantifying the risks associated

with implementing a particular strategy, so that the potential impact that these risks can have on operational objectives can be understood.

2. Evaluating the organization’s risk management effectiveness by assessing the ability of existing risk treatment efforts to maximize upside effects and minimize downside effects on objectives. If this evaluation reveals that the risk exposure is not within the bounds of the organization’s risk tolerance, then the existing suite of risk treatments needs to be modified.


3. Developing an adaptive risk response capability to bring the risk within the defined risk tolerance range and to keep it there when changes occur either in the level of risk (normally caused by changes in the internal or external business environment) or in the organization’s risk tolerance.

Encouraging a Culture of Risk Management at the Operational Level:4. Model good risk management behavior. 5. Articulate expectations for risk management

behavior.6. Be clear about the consequences and follow

through on them.


Aligning ERM and ORM:1. Objective(s) or what it is that the person has to

achieve. The concept of having a strategic goal for the organization and measurable objectives for each individual is fundamental to risk management.

2. Strategy or how the individual is to go about achieving each of their objectives. Strategy is sometimes referred to as a direction or path that the person is to pursue.

3. Risk appetite or how much risk the organization is willing to take on to ensure the person has ample opportunity to achieve his or her objective.


4. Performance measures and targets that will be used to assess the individual’s progress toward their operational objectives, and the organization’s progress toward its strategic objectives.

5. Risk indicators and risk tolerance levels that articulate the key conditions that will be monitored to provide an early warning that a significant risk event may be imminent or that a risk is about to move outside of the tolerable zone.


09_01_2015_operational_risk_management.pptx

Documents

Transcript of 09_01_2015_operational_risk_management.pptx