CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk...
-
Upload
felicity-henderson -
Category
Documents
-
view
217 -
download
2
Transcript of CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk...
CDS Operational Risk Management - October 28, 2005
Existing Methodologies for Operational Risk Mitigation -
CDS’s ERM Program
Existing Methodologies for Operational Risk Mitigation -
CDS’s ERM Program
ACSDA Seminar - October 26 - 28, 2005 Punta del Este, Uruguay
2
2 CDS Operational Risk Management - October 28, 2005
AgendaAgenda
Enterprise Risk Management Framework Governance of Operational Risk Self-Assessments Key Risk Indicators Reporting Internal Controls Risk Financing Program Lessons Learned Conclusions
3
3 CDS Operational Risk Management - October 28, 2005
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
A process for CDS to manage enterprise-wide risks (including operational risk) in an integrated fashion in order to optimize returns from risk-taking activities.
Mission of ERM: Identify and understand risks inherent in CDS’s
business activities and processes Enable management to make better decisions
through balanced focus on risk and returns of decisions and ongoing education of personnel.
4
4 CDS Operational Risk Management - October 28, 2005
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
Objectives of ERM Framework: Promote shared vision of risk management to facilitate
integrated reviews of risks and provide managers with better understanding of risk/reward trade-offs
Apply leading practice methodologies to identify, assess, measure, manage, monitor and report risks
Assign appropriate attention/resources to key risks Find appropriate balance between costs and risk controls More accurately factor risk into decisions, products and
projects Satisfy regulatory requirements.
5
5 CDS Operational Risk Management - October 28, 2005
Enterprise Risk Management FrameworkEnterprise Risk Management Framework
Guiding principles: Clearly define responsibilities for management of risks:
Each business unit responsible for managing their risks Overall responsibility for ERM should be independent from
business units: Risk Management at CDS Risk management risk avoidance Risk management should be proactive not reactive Timely, accurate and consistent management, monitoring
and measurement of risk Reporting structure that includes senior management, board
of directors, auditors and regulators.
6
6 CDS Operational Risk Management - October 28, 2005
Governance of Operational RiskGovernance of Operational Risk
Business Line Management
Board of Directors
Audit Committee Executive Committee Finance Committee
Strategy Group
Risk Committee Operations CommitteeExecutive Steering
Committee
Board Committees
Risk Management Functions
Management Committees
LegalInformation Security
and ControlInternal Audit Risk Management Human ResourcesFinance
7
7 CDS Operational Risk Management - October 28, 2005
Self-AssessmentsSelf-Assessments
Risk identification and definition using common categories: Strategic risks Operational risks (essentially same as Basle II)
People Processes Business Projects Technology Legal and regulatory External
Financial risks.
8
8 CDS Operational Risk Management - October 28, 2005
Self-AssessmentsSelf-Assessments
Risk assessment and measurement to rank risks and prioritize action.
Risk exposure determined by the probability and impact of a given event.
Probability ranked on scale of 1 (<25% probability) - 4 (>75%) for a five-year period.
Impact ranked by potential loss of staff, service capability, capital, assets, customer base, reputation or some combination.
9
9 CDS Operational Risk Management - October 28, 2005
Self-AssessmentsSelf-Assessments
Multiples of probability x impact yield rankings for prioritizing risks: Green (1 - 4)Green (1 - 4) Yellow (4 - 8)Yellow (4 - 8) Red (9 - 16)Red (9 - 16)..
Risks are grouped by categories to profile areas of higher risks and to produce an average overall risk profile for the company.
Risk profile allows tracking of changes of risk by category and at enterprise level.
10
10 CDS Operational Risk Management - October 28, 2005
Self-AssessmentsSelf-Assessments
Risk monitoring reports include: description of risk probability x impact ranking, with explanation risk mitigants action plans for reducing risk target dates for implementation.
11
11 CDS Operational Risk Management - October 28, 2005
Key Risk IndicatorsKey Risk Indicators
Early warning indicators of risks requiring attention. Suitable for activities that are trackable on a regular
basis for trend analysis, such as: Staff turnover Financial performance against plan System interruptions Participant claims.
Business unit proposes suitable threshold for Risk Committee approval. If threshold is breached, action may be required.
12
12 CDS Operational Risk Management - October 28, 2005
Key Risk IndicatorsKey Risk Indicators
Transaction Vol. As a % of Plan
0%
25%
50%
75%
100%
125%
150%
175%
200%
Sep-04 Oct-04 Nov-04 Dec-04 Jan-05 Feb-05 Mar-05 Apr-05 May-05 Jun-05 Jul-05 Aug-05 Sep-05
Monthly
Perc
enta
ge O
ver P
lan
Exch Trades Non-Exch Trades ACCESS Threshold
Key Risk Indicators (KRIs) Definition and Explanation Threshold
Trade Volume Fluctuations The indicator shows the fluctuations in monthly trade volume against the plan, which has a direct impact on revenues.
Actual should not fall below plan
13
13 CDS Operational Risk Management - October 28, 2005
ReportingReporting
Each meeting, Risk Committee receives a summary risk monitoring report showing: New and materially-updated self-assessments Updated risk profile Updated key risk indicators.
Internal Audit uses risk assessments at year-end to help develop areas of focus for coming year’s audit plan.
14
14 CDS Operational Risk Management - October 28, 2005
Risk Profile ReportRisk Profile ReportEnterprise Risk Profile ReportFor the period ending: < Insert Date>
Risk Categories No. of Items
No. of Risk with Red Ranking
Total Prob. Score
Avg. Prob Score (1-4)
Total Impact Score
Avg. Impact Score (1-4)
Risk Exposure Previous
Period
Risk Exposure
This PeriodRanking This
Period
Strategic RiskDevelopment/Implementation 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Reputation 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Operational Risk
People 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Processes 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Projects 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Technology 0 0 0.0 0.0 0.0 0.0 0.0 0.0
External 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Legal and Regulatory 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Business 0 0 0.0 0.0 0.0 0.0 0.0 0.00
Financial RiskCredit 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Market 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Liquidity 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Over-all 0 0 0.0 0.0 0.0 0.0 0.0 0.0
Highlights:
Risk Exposure Ranking Equivalent(P rob X Impact) 1 – 3 = Green (Low) 4 – 8 = Yellow (Medium) 9 + = Red (High)
15
15 CDS Operational Risk Management - October 28, 2005
ReportingReporting
Audit Committee receives a summary key risks report showing: Current risk profile Red risks and other material changes in higher risks Key risk indicators that have breached their thresholds
with actions for mitigation. Exception is annual risk report presented to Audit
Committee after fiscal year-end, which reviews risk profile of last year and risks requiring attention in coming year.
16
16 CDS Operational Risk Management - October 28, 2005
Internal ControlsInternal Controls
Intended to provide reasonable assurance regarding: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations.
Adequacy audited under Canadian Auditing Standard 5900 for service organizations and reported in Report on Internal Controls and Safeguards (RICS).
New audit standard 5970, comparable to SAS 70, to be applied in 2006.
17
17 CDS Operational Risk Management - October 28, 2005
Internal ControlsInternal Controls
Moving from checklist approach to more thorough COSO-based framework.
Framework based on key processes required to conduct business: Objectives and risks identified and assessed Process flowcharted to identify areas requiring control Existing controls identified, with support documentation and
management assurance process Gaps in controls require remediation within an acceptable time
period. Signed by supervisor upon completion and basis for future testing by
audit.
18
18 CDS Operational Risk Management - October 28, 2005
Internal ControlsInternal Controls
Internal controls for key processes supporting financial reporting to be completed by 10/31/06.
Will allow CEO/CFO certification of financial reporting by fiscal year-end 2007.
Key reliance will be on internal control structure and attestation by division heads of compliance.
Tone at the top reinforces importance of internal controls.
Structure acceptable to regulators and external auditor.
19
19 CDS Operational Risk Management - October 28, 2005
Risk Financing ProgramRisk Financing Program
Insurance (e.g. FIB, D&O, E&O, general liability) to cover catastrophic losses.
Retain significant levels of risk backed by reserves. Ongoing education of underwriters of unique
nature and coverage needs of CDS. Differentiation from financial institutions to obtain
suitable wording. Ongoing disclosure and rigour of risk management
essential.
20
20 CDS Operational Risk Management - October 28, 2005
Lessons LearnedLessons Learned
Start with simple concepts to get buy in, then phase in enhancements.
Use common definitions/criteria. Initial education and reiteration of objectives and
benefits of ERM. Business units take responsibility for their risks. Regular review of risk tolerances. Ensure follow up on improved risk mitigants. Support from the top is essential.
21
21 CDS Operational Risk Management - October 28, 2005
ConclusionsConclusions
ERM has enhanced risk management culture. Improves decision-making in evaluating
potential returns Comparable approach used for assessing project
risks. Effective internal controls structure serves
multiple purposes. Ongoing education and monitoring process that
must be supported from the top.