Your SlideShare is downloading. ×
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Operational Risk Management Framework in Soneri Bank
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Operational Risk Management Framework in Soneri Bank

2,425

Published on

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,425
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
158
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK MBA Research Project Fall 2013 Group Imtiaz Ahmed Hanfi () Arif Hussain Tirmizi ( ) Supervised by Syed Farhan Shakeel
  • 2. ABSTRACT Banks face many risks, which should be managed. Though their core competences is to cut down excess occurring costs and ensure to maximize their profits. Operational risk is increasingly important in the management and corporate governance of a bank, which increasingly have greater implications and interactions with other risks, such as market or credit risk. The management and analysis of operational risk is a necessary activity for bank, presenting many opportunities for development and a major field of study on conceptual and practical issues due to the particularity and complexity implied in this type of risk. Making use of secondary data collected through library research, journals and analysis of reports, the paper reviewed the operational risks of banks and their management. Soneri Bank has been selected as case study in order to understand operational risk management in Banks in Pakistan. The BASEL II adopted SBP inexorably increased the need of an effective management of operational risks, the development and implementation of structured methodologies for the analysis and quantification of operational risk within the bank. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK ii
  • 3. ACKNOWLEDGEMENT Completion of our MBA research project was only possible due to the motivation and helping hand of many others along with our own efforts. We would take this opportunity to express our heartfelt gratitude to the people who have been instrumental in the successful completion of this project. Foremost, we would like to express our deep gratitude and respect to Mr Syed Farhan Shakeel whose advices and insights were invaluable to us and without his motivation and encouragement, this research project would not have materialized. We cannot express our gratitude for your tremendous help throughout the course of this project. Secondly, this report would have not been possible without the respondents who took the time to respond to our questionnaire and enabled us to finish term report in a timely manner. The guidance and support received from all the members who contributed and who are contributing to this project, was vital for the success of the project. We are grateful for their constant support and help. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK iii
  • 4. Table of Contents ABSTRACT..................................................................................................................................... ii ACKNOWLEDGEMENT .............................................................................................................. iii List of Tables ................................................................................................................................. vii CHAPTER ONE: BACKGROUND OF THE TOPIC AND STATEMENT OF THE PROBLEM 1 Introduction ...................................................................................................................................... 1 I. The Basel II Framework .......................................................................................... 1 II. The Risk Management Guidelines of the State Bank of Pakistan........................ 2 Problem Statement ........................................................................................................................... 2 Scope................................................................................................................................................ 3 Delimitation ..................................................................................................................................... 3 Objectives ........................................................................................................................................ 3 Definition of Operational Risk......................................................................................................... 3 Causes of Operational Risk ............................................................................................. 4 CHAPTER TWO: RESEARCH METHOD & PROCEDURE ....................................................... 5 Research Design & Methods ........................................................................................................... 6 Respondents of the Study................................................................................................................. 6 Research Instrument......................................................................................................................... 6 Sources of Data ................................................................................................................................ 6 Treatment of Data ............................................................................................................................ 6 CHAPTER THREE: LITERATURE REVIEW .............................................................................. 7 Introduction ...................................................................................................................................... 7 I. Identification of Operational Risk ........................................................................... 7 1) Definition of Operational Risk ........................................................................... 10 2) Underlying Operational Risk Factors ................................................................. 13 i) People ................................................................................................................. 14 ii) Systems (Technology) .................................................................................... 16 OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK iv
  • 5. iii) Processes ......................................................................................................... 17 iv) External Factors .............................................................................................. 18 3) Methods of Risk Identification ........................................................................... 20 Conceptual Framework .................................................................................................................. 22 CHAPTER FOUR: PRESENTATION ANALYSIS ..................................................................... 23 Operational Risk Management Framework ................................................................................... 23 I. Risk Identification and Assessment ....................................................................... 24 II. Risk Monitoring ................................................................................................. 24 III. Risk and Loss Event Reporting .......................................................................... 25 IV. Other ................................................................................................................... 25 Policy and Strategy for Operational Risk Management ................................................................. 25 ORM Overall Strategy .................................................................................................. 26 V. Strategy for Operational Risk Identification and Assessment ........................... 26 VI. Strategy for Operational Risk Monitoring and Mitigation ................................. 29 Operational Risk Monitoring .................................................................................... 30 Operational Risk Mitigation ..................................................................................... 30 VII. Strategy for Operational Risk Reporting and Measurement .............................. 31 Risk and Control Self Assessment (RCSA) ................................................................................... 32 Purpose of RCSA .......................................................................................................... 32 Likelihood Grid.............................................................................................................................. 34 Impact Grid .................................................................................................................................... 35 Heat Map........................................................................................................................................ 36 Analysis of Data from Survey........................................................................................................ 37 CHAPTER FIVE: SUMMARY OF FINDINGS, CONCLUSION & RECOMMENDATION .... 42 Findings ......................................................................................................................................... 42 I. Interview ................................................................................................................ 42 OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK v
  • 6. II. Survey Results .................................................................................................... 43 Conclusion ..................................................................................................................................... 43 APPENDIX .................................................................................................................................... 45 Questionnaire ................................................................................................................................. 45 References ...................................................................................................................................... 49 OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK vi
  • 7. List of Tables Table 1.1 Source: (Laycock, 1998) ..................................................................................... 9 Table 1.2: Taken form Crouchy (2000) ............................................................................ 10 Table 2.1: Risk Impact Table …………………………………………………….......... 28 Table 2.2: Risk Likelihood Table ……………………………………………………... 28 Table 2.3: Activity based Risk & Control Self Assessment at Soneri Bank ………...... 33 Table 2.4: Likelihood Grid ………………………………………………………….......34 Table 2.5: Impact Grid………………………………………………………………….. 36 Table 2.6: Soneri Bank's Heat Map ……………………………………………………. 36 OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK vii
  • 8. CHAPTER ONE: BACKGROUND OF THE TOPIC AND STATEMENT OF THE PROBLEM Introduction Banking business is all about managing risks and returns. The accomplishment of which continues to present a key test to all banking institution. Success of the bank is consequently dependent on how well the bank manages its risks. The foremost purpose is not to eliminate risk, but to be hands-on in assessing and running risks to its strategic benefit. Banks have been in the course of an intense period of transformation in the past few years, changes which have significantly enhanced the potential for operational risk. Improved regulation, mergers and acquisitions, internal reformation and changes to systems and technology confront management with a possible minefield of risks as well as issues. Previously, operational risk has been dealt by internal control methods within business lines, supplemented by the Audit function. The industry has now started to use explicit structures and control processes altered to operational risk mitigation. As operational risks advanced with the increasing complexity of the Bank’s activities, the acceptance of a risk management framework is crucial in order to control this risk. I. The Basel II Framework The global banking sector and controllers now face new challenges with the requirements spelled out in the Revised Framework for International Convergence of Capital Measurement and Capital Standards (often referred to as the “Basel II Accord”) projected by the Basel Committee on Banking Supervision. The Basel II Accord characterizes the regulatory capital framework that replaced the existing 1988 Capital Accord through an additional risk-sensitive framework and introduced for the first time an obligation to hold capital against operational risk. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 1
  • 9. Significant transformation in the risk management practices, regulatory environment and financial markets over the last decade, has resulted in the need to strengthen the stability of the international banking system. The framework places increased focus on compliance and supervisory evaluation, and also on capital management, which is expected to be achieved through a closer alignment of capital to actual risks (risk sensitive capital requirements). The Basel II Accord introduced the subsequent three approaches for the computation of operational risk capital charge: a) Basic Indicator Approach (BIA) b) The Standardized Approach (TSA) c) Advance Measurement Approach (AMA) II. The Risk Management Guidelines of the State Bank of Pakistan The SBP has adopted the Basel II Accord vide its BSD circular No.8 dated June 27, 2006 detailing the instructions and rules relating to the capital adequacy requirements under the said Accord. According to the circular, banks may choose to adopt either BIA or TSA while the AMA is not being proposed at the moment. However, banks are advised to follow the international best practices, with reference to data availability and the sophistication of their risk management framework, and may prepare themselves for an early adoption of AMA, as and when approved by the SBP. Problem Statement To identify the current status and the underlying factors of operational risk management, in order to provide a comprehensive description of Operational Risk Framework. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 2
  • 10. Scope This study would be conducted on one of the emerging bank in Pakistan i.e. Soneri Bank. The participants for qualitative research are bankers from the operational department of Soneri Bank in Karachi who shall be interviewed. Delimitation Our study primarily focuses on three main factors of operational risk only. People Process and System External Factor Objectives The purpose of this study is to suggest a structured approach for operational risk in a banking environment in order to protect the interest of the stakeholders as follows: Providing depositors with greater reliability; Providing quality services to customers and to increase their confidence in doing business with the Bank; Providing employees with the best possible working environment to improve their morale and efficiency, and Improving the overall financial image and reputation in front of the government and regulators. Definition of Operational Risk Basel II Accord describes operational risk as the possibility of loss resulting from inadequate or failed internal processes, people and systems or external events. This definition takes account of legal risk, but eliminates strategic and reputational risk. Though reputational risk is not formally integrated in the classification of operational risk under the Accord, however the Bank considers the reputational consequences of failures in operational risk management as component of the ORM framework across the Bank. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 3
  • 11. From the Bank’s perspective, operational risk is classified as the risk of loss resulting due to inadequate or failed internal processes, people and systems or external events. This classification consists of legal risk as well as the reputational consequences of failures in operational risk management. Causes of Operational Risk Risk is stated in terms of three components: event, cause and effect. This can be explained by an easy example, a worm virus: a. Event (Risk) – a virus enters your computer; b. Cause – the external cause is a hacker, the internal cause is a lack of current virus protection software; and c. Effect or consequence – computer software fails; data is lost, with potential financial and non-financial consequences. d. Identifying the root cause of an event (risk) helps to isolate operational losses from other types of losses and to understand what action might be appropriate to mitigate the risk level. Some examples of operational risk causes include: lack of policies and procedures insufficient segregation of duties not enough training insufficient activity management lack of management review and supervision insufficient analyses information processing mistakes not enough physical controls inadequate business continuity plan and disaster recovery plan risk factors that are not in the control of the bank When the root cause of a loss event or probable loss is internal, the center of attention must be on how to cater the causal factor(s). This usually involves changing a business process or enhancing controls to decrease the potential odds and impact of a risk event. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 4
  • 12. For example if “miscommunication” of significant information resulted in some serious consequences, consideration should be given to develop the quality of communications may be via implementing a rigorous Management Information System (MIS). When the root cause of a loss event or probable loss is external, focus should be on how well the key risk indicators (that are not in the Bank’s control) are being monitored. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 5
  • 13. CHAPTER TWO: RESEARCH METHOD & PROCEDURE Research Design & Methods Research Type: Qualitative. Research strategy is case study. Data Collection: Primary data and Secondary Data Respondents of the Study Soneri Bank personnel who are directly and indirectly involved in managing operational risks. Research Instrument Research instrument which will be used to collect data pertaining to our research will be done through interviews, questionnaire and documented data of Soneri Bank. Sources of Data The data for the guidelines with respect to ORM at Soneri bank have been obtained from the risk management guidelines of the State Bank of Pakistan (SBP) and the Basel II Accord issued by the Basel Committee and adopted by the SBP. Treatment of Data Data gathered will be inferred according to our own understanding of an optimal research framework and results obtained through survey will be analyzed through excel graph. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 6
  • 14. CHAPTER THREE: LITERATURE REVIEW Introduction Globalization and new technology have provided the banking industry with profit-making opportunities but have also made it more vulnerable to operational risk. It seems that the industry’s risk-control capabilities have not kept pace with these developments as proved by, for example, the Barings bank trading saga in 1995. This occurrence, together with many others, motivated banks to take a more proactive approach to operational risk management. The first challenge is to identify the underlying risk factors on which a definition for operational risk could be based. This definition could, in turn, be used for the classification of operational risk in the identification process. The second challenge is to evaluate the risk factor to determine their potential impact on banking institutions. The appropriate techniques available to measure these factors, and therefore control them, will also be discussed. Thirdly, risk control will be addressed in terms of the activities needed to eliminate or reduce the potential adverse effects of the underlying risk factors as well as the organizational structure that should be in place to support risk management activities. Lastly, the cost of managing operational risk will be discussed. I. Identification of Operational Risk According to Williams (2000) determining operational risk depends on a particular firm and also states that “The key thing is that firms really need an internal definition of operational risk. People talk about key factors or key risk factors with the idea being to pick a finite list of things that you believe you have exposure to, and then prioritize those and focus on the ones that seem to be the most important.” Williams (2000) emphasizes that risk identification, as the first step of a risk management process, provides an important foundation for the firm to rely on in the future. Furthermore, if there is not a clear understanding of what operational risk means to the individual business units and corporation as a whole, the ability to build any technology systems for the measurements and management of the risks will not be possible. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 7
  • 15. It might sound straightforward; it often causes confusion as manager’s focus on the effect, rather than the cause of the risk. In this regards, (Rachlin, 1998) states that banks often try to reduce the symptoms rather than try to rectify the underlying problems. Hence, the necessity to take a brief looks at cause and effects of operational risk. RISK FACTOR CAUSE EFFECT People (Human Resource) Loss of key staff due to Variance in revenues defection of key staff to competitor. Process Declining productivity as Variance in process costs value grows Technology Year 2000 expenditure from predicted levels upgrade Variance running in technology costs from predicted Source: Adapted from (Crouchy, 2000) (Laycock, 1998) Lists six categories of causes that could give rise to operational risk (Table1.1) PEOPLE/EMPLOYEES - Errors - Misdeeds - Employment law - Employer’s liability - Absence/Loss of key staff - Organizational structure - Corporate Governance - Wrongful trading CUSTOMER RELATIONSHIP - Client suitability - Client capacity - Client power/authority to transact OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 8
  • 16. - Money laundering TECHNOLOGY - System failure - System integrity - System age - System suitability - System support - System conformance to corporate standards - Model risk - Data quality ASSETS - Business interruption - Asset loss/destruction - Third party left - Fraud REGULATOR/SUPPLIERS - Legal risk - Compliance with standards - Changes in regulatory standards - Supplier “Failure” OTHER - Project risk - Reputation risk Table 1.1 Source: (Laycock, 1998) This list is, however, not exhaustive and presents only one way of categorizing the causes and events relating to operational risk. Among the categories list are some that are extremely difficult or impossible to quantify, such as, the organizational issues. Crouchy (2000) states that operational risk can be broken down into three main risk factors namely the failure of people, processes and technology deployed within the OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 9
  • 17. business (Table 1.2). They also classify these main risks factors according to internal and external dependencies. Internal dependencies should be analyzed according to a set of common features consisting of three key components, namely, capacity, capability and availability. Table 1.2: Taken form Crouchy (2000) 1) Definition of Operational Risk From the above discussion it is evident that an accepted definition from operational risk should include both the internal and external underlying factors. A suggested working definition for operational risk by the (Authority, 1999) is: “The risk that the continuation of business may lead to loss as a result of human fallibility, technological shortcomings and/or various external factors. A bank should mitigate these risks through the use of systems and controls. However, if the latter is inadequate, they may constitute new risks and/or exacerbate existing risks” OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 10
  • 18. The factors, included in the definition, could be easily identified as: People (human fallibility) System (technological shortcomings and breakdowns) Processes (system sand control) External factors It could, however, be said that other risks that a bank is exposed to could also include the above mentioned factors. As such it is important to qualify the interrelation of these operational risk factors with the other primary risks, such as credit risk, market risk, liquidity risk and country risk. It is, therefore, imperative to distinguish clearly between operational risk and other risk to ensure a more positive management approach towards operational risk. According to the (Authority, 1999) it is imperative that a definition of operational risk should be as comprehensive as possible. It is prudent to consider all the risks that an institution faces and to mitigate those risks. Failure to include a risk explicitly in a definition may result in failure to consider that risk. Therefore, the inclusion of the underlying factors of operational risk in its definition is imperative. Reflecting the main underlying risk factors in the definition of operational risk could also assist the process of evaluating and quantifying operational risk for control purposes. During a conference on 21 May 1998, the Operational Risk Forum decided to identify a narrow and a wide definition of operational risk. Narrow Definition: Operational risk is seen as risk residing in department called “operations” and is described as those errors and omissions of controls, system and processes which may lead to potential losses. Wide definition: Operational risk is seen as all risks not covered by market or credit risk. The problem with this approach is that it may leave an unidentified residue, which could impact the income statement materially and undermine the wide definition approach. In order to accommodate the wide and narrow definitions, the Operational Risk Forum defined operational risk as follows: OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 11
  • 19. “Operational risk is the exposure to potential financial losses. Such losses may be caused by internal or external events, trends and changes, which were not captured by the corporate governance and internal control framework, systems, policies, organization, ethical standard or other key controls and standards of the firm. Such losses exclude those already captured by other risk categories such as market, credit, or strategic/business risk” Although this definition includes the main underlying operational risk factors (People, system, process and external factors), it also includes other elements or “sub-risk” factors such as policies, control framework and ethical standards. This approach could possibly lend itself to the omission of other factors, for example, procedure, organizational structures and risk principles. This definition, although comprehensive, should rather be stated differently by referring to only the main underlying risk factors. This will ensure that no “sub-risk” factors are omitted and that is still covers the requirements of a narrow and wide approach. Taking into account all the previously discussed viewpoints of operational risk, a suitable definition for operational risk management in a banking environment could be the following: Operational risk is the exposure of a bank to possible losses, resulting from inadequacy and/or failure in the execution of its operations. The source of these losses could be process, people, system and external events. This definition firstly comprises the main underlying operational risk factors, namely, people, processes and systems. Although the factors are seen as an integral part of operational risk, they could also have an influence on the total organization in term of its operations. As such, it is important to take cognizance of interrelationships between operational risk and the other main risk types like credit, market and liquidity risk. The following example illustrates the interrelationship between operational and credit risk: The failure of a bank’s credit system could result in a loss of credit business. Although it is a loss in term of credit business, the loss is a result of the system failure. As such, the loss should be classified as an operational loss. The actual risk (operational risk) should be addressed by operational risk control measures, OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 12
  • 20. for example, to ensure that back-up system are in place to prevent any losses due the system failures. Secondly, the definition includes the risk pertaining to the external factors which are beyond the direst control of a bank. The definition looks specifically at the adverse effect external factors could have on the ban if the people, processes and systems cannot cope with them. For example: If lightning should neutralize the internal system of a bank, preventing the bank from doing business, it could result in a loss. The adverse effect on the systems could be seen as an operational risk exposure; hence the necessity to address it accordingly to an operational risks management process. For instance, having a backup system to ensure the normal continuation of business could be seen as an operational risk control mechanism. Thirdly, the definition excludes the risk exposures to a bank caused by other risks such as market, credit, liquidity, and country. The intention of the definition is to indicate in a positive way what operational risk entails rather than to indicate that it consist of all factors not covered by the aforementioned risks. This positive approach towards operational risk should allow management to be more specific in addressing all the relevant operational risk factors. 2) Underlying Operational Risk Factors Katz (1995) stated that no business should be entered into without a full and early assessment being made of the underlying risk factors that relate to it. Furthermore, all risk factors need to be identified such that credit, operating, accounting, reporting and risk management tools can be put in place. Davies (1998) states that a central requirement of a risk allocation process is to be able to assess the extent to which the exposure to a risk factor increases or decreases the expected volatility of earnings. This emphasizes the necessity to identify risk factors with sufficient precision to be able to monitor and control them effectively. In the previous section operational risk was defined based on the primary underlying operational risk factors that were identified as: People OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 13
  • 21. System (Technology) Processes External factor This section deals in detail with each of these underlying factors to determine their effect on operational risk. During the detailed analysis of the primary underlying operational risk factors, additional sub-risk of operational risk will be identified, for example, people as a risk factor could result from human error, which could cause fraud and subsequently be viewed as fraud risk. However, it must be emphasized that the dynamic nature of a business could influence its exposure to risks and additional underlying risk factors could evolve, changing the overall potential effect of operational risk. i) People The success of a business is dependent on the knowledge, skill and capability of the persons involved in all of the business processes. Kingsley (1998) stated that people are most important resource of a company and historically, they have been overlooked while assessing operational risk, as it is hard to judge the risk of: Human mistake Lack of reliability Lack of separation of duties Poor customer service Dependency on key individuals inadequate skills, Lack of training Kingsley (1998) argued that one of the major reasons in many dramatic failures is people risk as it is very difficult to measure. From the above, it is evident that people risk could include a variety of sub-risk which should be addressed during a risk management process. Integrity: OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 14
  • 22. o Fraud o Collusion o Malice, the unauthorized use of information o Rogue trading Competency Management Personnel Health and safety Authority (1999) identified the following primary sources of people risks: Incompetent staff Human mistake Poor working environment High staff turnover Poor communication Unauthorized decision making Wilson (2000) states that human resources (people) risk in not just the responsibility of the human resources department, although they do contribute to controlling of the risk. The business units themselves have specific responsibilities regarding the control of operational risk. For example, given the rogue trader problems, which some banks have suffered, it is also important that the operational risk manager checks that the human resources department has sufficient controls with regards to personnel security, namely: Hiring process o References and working credentials o Existing and ongoing security training and awareness program o Job descriptions defining security roles and responsibilities Termination procedures o The extent of the termination debriefing o Ensuring revocation of physical access (cards, keys, system access authority ID etc) OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 15
  • 23. ii) Systems (Technology) A bank faces operational risk when the system it chooses is not designed or implemented according to the requirements of end users both internal and external. For example, if the systems of the banks are too slow then it would results delays in customer service. A further problem banks face is the rapid changing technology which exposes the banks with the risk of systems obsolescence. For example, electronic banking systems require regular updating. This type of software poses a risk for bank as criminal or malicious individuals could interrupt and modify it, leading to potential losses. In addition, staff must be trained for new technology, so that they could understand and run the new systems. So, whenever the technology changes, it exposes the bank to operational risk. Operational risk could also be identified in terms of a risk resulting from system failures, which reflects the possibility that the systems are inherently flawed and could arise from various factors. Various authors include systems to define operational risk as shown in the following extracts. “…risks are those of malfunctioning of the information systems...” “…the potential for adverse fluctuation due to the effects attributable to system...” “...the risk runs by a firm … its internal practices, policies and systems...” “Operational risk arises from the potential for inadequate systems...” According to Wilson (2000), technology risk is at the heart of a business, such as, investment banking and should be addressed during the implementation of any system changes or developments. A firm could be exposed across all business areas to general technology risk. He lists the following types of risk protection against the system risk: Physical protection Functional protection Data protection The sub-risks factor of system could be summarized as follows: System failures Security breaches Non-development of systems and implementation failure Insufficient systems capacity OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 16
  • 24. Poor data integrity This list could be expanded or formulated more accurately according to the systems need of an organization. iii) Processes According to various definitions of operational risk, it is once again evident that processes form an integral part of operational risk and could thus be seen as a main underlying risk factor. This is substantiated by the following examples: “The risk of loss caused by failure in operational processes…” “Operational risk is the exposure to financial or other damage arising through unforeseen events or failure in operational processes…” “Risks are associated with any other day-to-day business processing…” “Operational risk involves processing…” “Operational risk arises from failure to control … processing…” “Operational risk is the potential for loss caused by events such as the breakdown of processes…” The process environment forms a part of the operations environment and the components of the environment act upon and influences each other (Davies, 1998). Thus an external event, such as, the introduction of the Euro, could have an impact on a bank’s process environment as it could influence the internal processes which relate to the activities involved in dealing with the Euro. The process environment ultimately controls the quality of data integrity. This, according to Davies includes both static data and transaction data. The risk could arise at any part of the process from order capture to the recording of the transaction to the general ledger. Davies state that operational risk is therefore not limited to operation functions and may also exist in the following circumstances. Set Up o The set up of new instruments and counterparties o New business process to control the migration of new products into the process environment OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 17
  • 25. Pre-Settlement Activity The settlement and agreement of trade data and details of settlements with third parties: o Trade capture o Confirmation/affirmation o Balancing to exchanges, and o Maintenance events, for example, rates re-fixes and expiries Post-settlement activity The movement of and control over, cash and physical assets: o Processing of the movement of assets, such as cash and stock o Inventory management, for example, custody and corporate actions processing and o Reconciliation of internal records to custodians and agents In order to address the processing risks, as part of operational risk, it must be determined exactly where the risks are within each environment. According to Davies, this activity can be initiated by looking at the process flow of a single trade, determining where the risk occurs and how it can be measured. It is also evident that processes form an integral part of operational risk; it must be determined exactly where the risks are within each environment. According to Davies, this activity can be initiated by looking at the process flow of a single trade, determining where the risk occurs and how it can be measured. It is also evident that processes form an integral part of operational risk and could thus be seen as one of its main underlying risk factors. iv) External Factors External factors beyond the direct control and influence of the organization could have an adverse effect on the internal underlying operational factors. It is imperative therefore that these external factors should be considered during an operational risk management process. The following extracts from various definitions confirm this view: “Operational risk also includes losses from external events…” OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 18
  • 26. “Operational strategic risk originates outside the firm since it stems mainly from external areas such as regulatory and fraud risk…” “…risk of business disruption, control failures, errors, misdeeds or external events…” It is important to understand that reference to external events is not intended to include defaults or market factors that would be captured under definitions of market and/or credit risk. According to Authority (1999)Fraud risk is considered as an external risk factor. However, it could also evolve internally. Mayland (1993) states that fraud risk is the risk that results from illegal actions of bank’s employees, customers, additional parties on a transaction or outside intruders. Systemic risk is also seen as a sub-risk factor. Mayland states that systemic risk arises when a bank participates in a payments or securities clearance network. If a network participant, for example, fails to settle and causes other participants to have liquidity problems, it is possible it could also suffer liquidity problems. Systemic risks however, are a legitimate concern of credit administration and credit policy executives. There is a great deal of regulatory concern for systemic risk and most of the payments, securities and derivatives networks devote a great deal of effort to understanding and controlling systemic risk. Regulations are another external factor that could cause operational risk for a bank. Mayland (1993) states that the regulations are concerned that some banks are not devoting enough management attention to the “off-balance-sheet” risks associated with corporate services. Regulators are therefore responding with specific requirements that force banks to manage operating risks as one of their priorities. Because banks have no direct control over that part of operational risk which is generated by the external factors, it is difficult to manage it proactively. Although it is difficult to quantify these factors, it is important for a bank to anticipate and address the relevant issues in order to reduce the factors’ adverse effects. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 19
  • 27. As with the other main underlying risk factors of operational risk, external factors can be divided into sub-risks to demarcate the areas that should be addressed during the management process, namely: Criminal activities Catastrophes/natural disasters Regulations/compliance Information Security Economic and Political activities Once again it must be emphasized that this list could be expanded, depending on the exposures of an organization. 3) Methods of Risk Identification The Financial and Management Accounting Committee (FMAC) states that management and other relevant personnel could identify the key risks in number of ways, for example: - Workshop and interviews - Brainstorming - Questionnaires - Process mapping, - Comparisons with other organizations. - Discussion with peers The Authority (1999) states that the tools for identifying risks could include checklists, questionnaires, standard templates and facilitated workshops. The estimation of the impact and probability of the risk event is, however, usually left to the judgment and experience of the business unit manager. Sometimes loss data of external or internal events could provide management with examples of the impact of similar events. In a diverse organization, questionnaires tend to be less useful as question they contain may not be very business specific. However, where an institution is involved in a similar business at a number of sites, for example, the branch network in a retail bank, a more detailed questionnaire may be suitable because of the homogenous nature of these business units. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 20
  • 28. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 21
  • 29. Conceptual Framework Components of Operational Risk Management System Key Culture of Awareness of Independent Variable Organization Employees Moderating Variable Dependent Variable Risk Policy & Strategy Risk Identification Operational Risk Assessment Risk Management Risk Management System & Monitoring Risk & Loss Event Reporting Governance Business Strategy OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 22
  • 30. CHAPTER FOUR: PRESENTATION ANALYSIS Operational Risk Management Framework The operational risk management framework at Soneri bank comprises of the following key elements; a. Governance structure for operational risk management b. Roles and responsibilities of BOD, Risk Management Committee, Senior Management, Head of Risk Management, Operational Risk Management Department and other related personnel or functions. c. Operational risk management strategies and processes for risk identification, assessment, monitoring, reporting and measurement. Risk & Loss Event Reporting Risk Management & Monitoring Risk Identification Risk Assessment CULTURE AND AWARENESS Figure 1: Chart drawn from the information provided during the interview. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 23 PROCEDURES Risk Policy & Strategy OPERATIONAL RISK POLICY, STRATEGY & GOVERNANCE AND ORGANIZATION OPERATIONAL RISK MANAGEMENT FRAMEWORK
  • 31. The Operational Risk Management Division (ORMD) is responsible for: a. Risk Identification and Assessment b. Risk Management and Monitoring c. Risk & Loss Event Reporting d. Risk Policy & Strategy I. Risk Identification and Assessment The ORMD is responsible for: Conducing risk and control assessment of each process. Assisting business and support units in identifying and assessing and monitoring operational risk. Establishing Bank-wide risk bands in order to assess the likelihood of occurrence and financial impact of each inherent risk identified in the process of RCSA exercise. Conducting RCSA workshops with the process owners or RCSA Coordinators for identifying key risks, their related controls, key risk indicators, severity and likelihood, thresholds and responsibilities. Accumulating critical risks and key risk exposures identified by RCSA Coordinators and communicating the same to the HRM and the RMC. Evaluating new product proposals with respect to operational risks and adequacy of mitigating controls. II. Risk Monitoring Act as an ORM help desk for facilitating the Risk and Control Self Assessment (RCSA) process and resolving RCSA related queries. Coordinating with business and support units and developing the operational risk tolerance levels for each of the key risks identified. Monitoring Key Risk Indicators throughout the Bank. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 24
  • 32. III. Risk and Loss Event Reporting Reviewing loss event reports submitted by various business and support units of the Bank and accumulating the same in the loss event database. Implementation of a reporting mechanism by generating reports from the loss event database in a timely manner, for monitoring critical risk issues and escalating the same to the senior management. Developing operational risk measurement methodologies, which reasonably estimate unexpected losses. Developing operational risk database and data management capabilities to support the ORM framework, such as a centralized loss event database (including external operational loss events), comprising of a set of risk metrics. IV. Other Formulating ORM strategy, policies and procedures and other key elements of the ORM framework, for review and approval by the RMC / BOD. Creating a risk management culture throughout the Bank, which includes providing awareness of the significance of ORM and internal controls, generally accepted risk management practices, the Bank’s internal policies and procedures and the changes in the risk management systems? Reviewing outsourcing arrangements proposed by business and support units. Providing recommendations to the RMC regarding the appropriate resources and technology to be obtained for implementing the ORM framework. Liaison with the State Bank of Pakistan for operational risk matters. Policy and Strategy for Operational Risk Management Operational Risk policy and strategy has been built around the overall risk strategy of the Bank and reflects the Bank’s appetite for risk and its understanding of the specific characteristics of operational risk. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 25
  • 33. By implementing a Bank-wide ORM framework, the Bank aims to protect the interest of the stakeholders as follows: a. Providing depositors with greater reliability. b. Providing quality services to customers and to increase their confidence in doing business with the Bank. c. Providing employees with the best possible working environment to improve their morale and efficiency, and d. Improving the overall financial image and reputation in front of the government and regulators. ORM Overall Strategy In order to achieve the above objective, the strategy adopted by the Bank is to minimize operational risk losses and articulate risk appetite and thresholds. In this regard, the Bank has developed the strategy for identification, mitigating, assessment, monitoring, reporting and measurement of operational risk. The ORMD, along with the support of the RMC and senior management from business and support unit, ensures that adequate strategies are implemented to achieve the operational objectives of the Bank. In order to achieve its ORM strategy, the Bank aims to implement an effective, consistent and comprehensive ORM framework and approach, for monitoring and communicating risks, supported by a suite of principles, policies and controls, including a code of conduct, authority guidelines, business process standards, policies regarding major risk categories, systems and processing controls, and an approval process for new products. V. Strategy for Operational Risk Identification and Assessment The ORMD uses risks and controls self assessment (RCSA) as a tool to categorize and compute the operational risk inbuilt in all activities, procedures and structures. RCSA exercise conducted within each key business and support unit in the Bank mainly through meetings/workshops with the senior management. The key business and support units are identified using the following parameters: a. The Bank’s operational and reporting structure. b. Qualitative and quantitative materiality, and OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 26
  • 34. c. Discussion with the HRM and the senior management of the Bank. The output of the exercise results in a RCSA matrix for each business and support unit mainly comprising the following: a. Names of the key processes and their respective activities. b. Inventory of key operational risks and key operational controls. c. Inherent and residual risk assessment of each risk. d. Description of key risk indicators. The head of respective business and support unit is responsible for identification of key inherent risks mainly arising from the following factors as defined by Basel II: a. People risk; b. Process risk; c. System risk; and d. External events For the purpose of this exercise each unit in the Bank nominates a senior management person from the unit as RCSA coordinators. The scope and time horizon for ORM is very wide, which makes it important to prioritize key risks causing the greatest exposure. Best practices increasingly require risk to be measured in quantitative terms. Hence, each identified key operational risk is assessed for the severity and likelihood of its occurrence and then mapped to the Loss Event Types, specified by the Basel II. The effectiveness of the controls associated to these risks is assessed from both an inherent and residual risk perspective. The RMC approves the Bank-wide operational risk impact and likelihood table based on the recommendation of the HRM. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 27
  • 35. The risk impact table comprises the scores from 1 to 5 defined as: Table 2.1: Risk Impact Table Each of the above scores is defined as operational loss range bands in terms of Pakistani Rupees in millions. Similarly the risk likelihood table comprises the scores from 1 to 5 defined as: Table 2.2: Risk Likelihood Table Each of the above scores is defined in terms of time ranges such as almost monthly or once in a year. The risk assessment tables for risk impact and likelihood are reviewed on a periodic basis and revised by the ORMD after getting the input from the senior management. Any revisions to the risk assessment tables are referred to the RMC for approval. During the workshop, ORMD obtains the input from RCSA coordinator and the senior management team participating in the workshop regarding key risk indicators (KRIs) to be formulated for key operational risks and acceptable threshold for the same. KRI is a OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 28
  • 36. combined measure of a Key Performance Indicator (KPI) and Key Control Indicator (KCI) that are used to link the residual impact of the risk with likelihood of the risk occurring. In other words, a KRI shows the extent of stress that a core process is facing. KRIs are linked directly to risks and at the time of developing KRIs the focus will be given to the controls and the information system available with the Bank for reporting such KRIs. In addition to the qualitative requirements of KRIs data, it is important for KRIs to have an element of measurability and their thresholds are monitored at the specified periods stated in the KRI. The KRIs and the thresholds set for KRIs are visited by the senior management and ORMD on an annual basis or whenever required and changes are made due to improvement in the controls, change in risk appetite and availability of better IT systems for KRI reporting. The RCSA coordinator annually or as and when required undertake RCSA exercise initiated by the ORMD to ensure that any changes to the unit’s operational / business objectives, key operational risks and controls, inherent and residual risk assessment and key risk indicators are being captured. The results of the RCSA exercise is validated by Audit Division and forwarded to the ORMD for review. Further RCSAs are reviewed by the Manager ORMD and is approved, signed off by the Head of the respective business and support units. VI. Strategy for Operational Risk Monitoring and Mitigation Business and support units are responsible for monitoring and mitigating operational risks and correcting related internal controls in a timely manner. Senior management of the business is responsible for ensuring that they have in place, policies and procedures to control, monitor and mitigate operational risks. These policies and procedures are supported by a strong control culture. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 29
  • 37. Operational Risk Monitoring For the purpose of effective risk monitoring the ORMD recommends a risk appetite/tolerance table. It expresses in terms of impact, through an appropriate limit structure and control processes to enforce these limits. Operational risk appetite/tolerance level for the Bank is determined and recommended by the HRM after getting the input of the senior management of the Bank, and gets it endorsed by the RMC, and then approved by the BOD. Operational risk tolerance level is documented and communicated via a separate BOD approved policy. RMD considers the following factors while determining the Bank-wide operational risk tolerance level: a. Risk and Control Self Assessment Exercise, b. Beta (β), set by the Basel Committee for Banking Supervision for eight business lines under The Standardized Approach of Basel II, c. Operational loss data of the Bank; and d. Operational loss data collection exercise conducted by BIS. Risk appetite table is reviewed and amended, if required on an annual basis. The senior management of the business and support units then develop the strategies for controllable risks and the risks which cannot be controlled. Such strategies include implementation of additional controls or outsourcing of risk through insurance. Further the KRIs is developed during the RCSA exercise and its trends over a period of time. Operational Risk Mitigation As per the Basel Committee ORM Guidelines, a bank must have policies and procedure to control and mitigate the operational risks which are arising from the following factors: a. People risk b. Process risk c. System risk, and d. External events. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 30
  • 38. Operations manual includes policies and procedures for the concerned business and a support unit comprises of the key operational controls to mitigate the key operational risks from the process/function. These policies and procedures are reviewed by the ORMD on a periodic basis to ensure all key operational controls have been documented. Further, any proposed mitigation plans for key risks are reviewed by the Manager ORMD, the HRM, the Head of Audit and the Head of Compliance before escalation to the senior management and incorporating the same in the operations manual of the concerned business and support unit. Implementation of the existing and proposed policies and procedures are monitored by the operations group along with audit and compliance divisions. VII. Strategy for Operational Risk Reporting and Measurement The ORMD works with management of business and support units to prioritize risk mitigation strategies. For this purpose the RCSA coordinators and the senior management will report the following to ORMD: a. Information relating to operational losses, b. Deviations of actual KRIs from their acceptable thresholds, c. Change in the residual risk profile due to change in the controls structure. The reporting of operational loss events and KRIs deviations is done by the management to ORMD. All the operational loss data and near misses are reported to ORMD on a monthly basis. Further KRI monitoring reports and any breaches are reported on quarterly basis by the respective business and support units’ RCSA Coordinators. Based on the reporting from the business and support units, the ORMD establishes an operational loss events database. Data is captured and reported as and when operational risk events occur and are classified in accordance with the Basel II risk categorization framework. The operational loss event database is used by ORMD in producing operational loss and KRIs reports. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 31
  • 39. The operational loss events with critical or high impact and likelihood levels as per the Bank-wide risk impact and likelihood table will be escalated immediately by the ORMD to the senior management of the respective business or support unit and the RMC for the required action. The senior management of the concerned department is responsible for taking the required remedial action/meeting. These reports are consolidated and distributed by the ORMD to appropriate levels of management dealing with the areas which may suffer potential operational impact. In particular, the RMC needs to be made aware of all significant risk loss incidents or limit excesses, as well as any follow up actions that has been taken. Risk and Control Self Assessment (RCSA) The RCSA is a structured process designed to enable the identification, self assessment, evaluation, and monitoring of key operational risks and controls. The process shall also result in: a. Business/Support units assuming ownership of their respective key operational risks and mitigating them through key operational controls on a regular basis. b. Monitoring of key operational risks through KRIs and related KRI thresholds c. Implementing controls and mitigating the risks to the acceptable levels, ensuring that product/service delivery is handled as per policy guidelines and customer relationships are maintained adequately Purpose of RCSA The purpose of RCSA is to: a. Make most efficient use of resources. b. Working with business owners to diagnose Business process and embedded risks. c. Ensure application and compliance with policies, procedure, laws and regulations. d. Enhance safety standards by assessing controls and their effectiveness. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 32
  • 40. Entering customer information in the system Account Opening Transaction capture, execution & maintenance Execution, Delivery & process management 1 Customer account master file information may be incorrectly entered in the system An independent person review the input of customer account master file information into 1.1 the system for accuracy by matching it with account opening forms 3 1.2 OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK Expected Loss Description Threshold 5 5 Number of audit objections 0% BM/BOM Key Risk Indicators (KRI) Residual Risk Assessment Process / Risk Summary of Owner Responsibilit ies Control Owner Likelihood 1 All accounts opened are supervised by the branch manager. Impact Control Description Account Opening Officer Inherent Risk Control ID Impact Risk Description (Loss Event Inherent Risk Type 3) Basel II Loss Event Type Classification 2 Loss Event Type 1 Risk ID Sub Activity Activity Mitigating Controls Table 2.3: Activity Based Risk and Control Self Assessment (RCSA) at Soneri Bank 33
  • 41. Likelihood Grid Likelihood Grid shows the score for the frequency of a risk. The score for scale is 1 to 5. Score 5 means that an event occurs every month while the score 1 means the event might occurs within 20 years. Table 2.4: Likelihood Grid OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 34
  • 42. Impact Grid Impact Grid of Soneri Bank indicates the score from 1 to 5, showing Ratings and Losses that is being occurred according to the table given below: Table 2.5: Soneri bank’s Impact Grid OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 35
  • 43. Heat Map Heat map shows the relationship between Impact and Likelihood. All the risk events of each department is mapped on the heat map so that it become easier to analyze how many events are in low risk category and how many are in middle and high risk category. Table 2.6: Soneri Bank’s Heat Map OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 36
  • 44. Analysis of Data from Survey 1) In what categories does Soneri Bank categorize the operational risk? (Please select all that apply) The categories in which most of the personal in Soneri bank places operational risk are external events that cause damage to physical assets, unauthorized activities by external parties followed by other categories which can be viewed in the following graph. Don’t know Other 0% 8% Outsourcing Business process risks 80% 92% Business disruption and system failures 96% Client, Product and business practices 96% Intentional misconduct (internal fraud) 96% Employment practices and workplace safety 96% Unauthorized activities by external parties 100% External events that cause damage the physical assets 100% OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 37
  • 45. 2) To what extent SONERI BANK applied technology in its operational risk management program? (Please select all that apply) Don’t know None, no consideration has been given Technology is being considered 4% 0% 12% 88% 96% Technology is being used for the automation of risk … 64% 3) What is operational risk reporting used for? (Please select all that apply) Operational risk reporting is extremely important as it is used in the day to day management of Soneri Bank operations. Other 0% External communication 0% Strategic decision making Financial reporting Compliance 12% 8% 12% Day to day management 88% 4) What measures has SONERI BANK taken to reduce potential redundancies in completing operational risk assessment (e.g. internal audit, risk management, compliance)? (Please select all that apply) OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 38
  • 46. Risk assessment and risk functions have been mostly consolidated in order to reduce potential redundancies which might Don’t know exist in operational risk assessment 4% None 0% Other 4% One governance or oversight function 0% Established template with common … 80% Consolidated risk assessment functions 88% Consolidated risk assessment activities 96% 0% 20% 40% 60% 80% 100% 120% 5) Does operational risk management system capture the interrelation between the various risks identified? (Please select all that apply) Mostly the interrelation of operational risk with other risk is captured in a quantitative way by the operational risk management system. Don’t know 0% No Yes, other 4% 0% Yes, in a quantitative way (e.g. correlations) Yes, in a descriptive way 72% 36% 6) At what time intervals is the operational risk assessment reviewed? (Please select all that apply) The operational risk assessment is reviewed once yearly. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 39
  • 47. 7) What information is collected as part of the operational risk assessment? (Please select all that apply) Don’t know 4% Other 16% Risk appetite/Limit 96% Key risk indicators 96% Action plan if risk appetite/limit is breached 92% Risk ranking 92% Frequency 92% Impact 92% Control description 92% Risk owner 96% Risk description 96% 0% 20% 40% 60% 80% 100% 120% 8) How is the operational risk function organized? (Please select all that apply) Most of the risk management of operational risk is conducted centrally. Other Both 0% 8% Centralized Embedded in the lines of business 88% 4% OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 40
  • 48. 9) Please rate the following statements on their level of significance to SONERI BANK operational risk program. (1= Not significant, 5= very significant, and 6=Don’t know) 56% 20% 16% Scenario analysis/stress testing 8% 0% 64% 28% Key risk assessment 4% 4% 0% 48% 28% Strategies risk assessment 5 8% 16% 4 0% 3 68% Loss event management 2 24% 0% 1 4% 4% 68% Risk Control self assessment 24% 0% 4% 4% 84% 4% Communication with other departments 8% 0% 4% OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 41
  • 49. CHAPTER FIVE: SUMMARY OF FINDINGS, CONCLUSION & RECOMMENDATION Findings I. Interview We interviewed Mr. Nadeem Ahmed Khan, Manager Operational Risk, Risk Management Division Soneri Bank. He gave us valuable information regarding operational risk management framework at Soneri Bank. He also helped us to develop the questionnaire. He explained the basic structure for the operational risk management. The under stated chart is the Soneri Bank fundamental structure to follow the ORM: Figure 2: Soneri Bank fundamental structure to follow ORM OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 42
  • 50. II. Survey Results On the bases of our assessment it can be concluded that Soneri Bank is progressively recognizing the vitality of a well engineered ORMF in order to work through diverse economic settings and achieving their business goals, which in a broader perspective is completely factual. As financial breakdown has magnified the regulatory inspections, likelihood of greater reputation risk and loss of Soneri Bank self assurance. This consequences draw attention for vigorous approaches, in both quantitative and qualitative terms for handling the core risks. Integrating technology, people and processes into risk mitigating actions will help in balancing compliance actions along with strategic opportunities. However, in order for organization to engage in growth process, much effort is needed in order to put up the ORMF. Whether working on upgrading “tone at the top”, empowering business decisions or reengineering modeling and technological capabilities. Conclusion As most of the organizations consider ORM as chain of independent tasks, which includes specifying control glitches, accumulating loss data or evaluating capital figures and action plans formation. Many firms have endowed huge sums of money over time in implementation of these silo-based strategies but were unable to accomplish their targets. After which, many have wrongly concluded that ORM is an unimportant compliance exercise. Though, Operational Risk Management should not be considered as a disjointed tasks process. As an alternative, it should be viewed as a planned course for formulating up to date risk management conclusions, in which control information and significant risk is included in a widespread structure. This approach is termed as modern ORM. Modern Operational Risk Management executes actuarial science as its basis: a technique for calculating unexpected loss (risk) and expected loss (cost) and, which can be exercised to optimize risk-reward and risk-control in the framework of cost-benefit analysis. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 43
  • 51. In a modern ORM scenario, senior management evaluates operational risk not as a postscript, but as a vital module for business administration, strategic planning, and enterprise risk managing processes. Most of the firms by now have acknowledged the advantages of modern ORM, and it could guide the way in setting a new standards for business practices. Soneri Bank’s ORMF is well engineered and used proficiently to resolve various issues either by the predefined controls or by their own identified controls. It is not required to advise them to make the modifications in accordance with the ideal ORMF. But, in conformity to their peculiar classification of framework, processes and interface, the functioning of their ORM structure is adequate and certainly is effectual in controlling numerous different risks but evidently there are so many arenas where the development can be further pursued. It was determined that the effect of the risk concentration was a problem which had been identified by the people rather than that of the system which indicates that the result may lead towards the inconsistency as impact scale can lie in between 1 - 5 and can be distinct because different people have different perception. Among other proposals presented to the ORM one was the incorporation of some composite algorithms by means of numerous calculations in sequence so that the system would be able to signify the risk impact’s strength itself. Recommendation To conclude this study, we propose the following recommendations to enhance the establishment of a structured approach to operational risk management in a Soneri Bank: The framework for a structured approach should be used by Soneri Bank to enhance the development of their operational risk processes. As the concept of operational risk management is not yet fully established in Soneri Bank, it is important to develop and implement a formal training program for operational risk management. This will enhance the awareness of operational risk in the bank and stimulate the interest in its management. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 44
  • 52. APPENDIX Questionnaire Thank you for taking the time to complete this survey. Your feedback is important to us in suggesting ways to improve Operation Risk Management in Soneri Bank.This survey should only take about 3 to 4 minutes of your time. Your answers will be completely anonymous. 1) In what categories does SBL categorize the operational risk? (Please select all that apply) a. External events that cause damage the physical assets b. Unauthorized activities by external parties c. Employment practices and workplace safety d. Intentional misconduct (internal fraud) e. Client, product and business practices f. Business disruption and system failures g. Business process risks h. Outsourcing i. Other j. Don’t know 2) To what extent SBL applied technology in its operational risk management program? (Please select all that apply) a. Technology is being used for the automation of risk reporting b. Technology is being used for the automation of risk monitoring c. Technology is being used for the automation of risk identification d. Technology is being considered e. None, no consideration has been given f. Don’t know 3) What is operational risk reporting used for? (Please select all that apply) a. Day to day management b. Compliance OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 45
  • 53. c. Financial reporting d. Strategic decision making e. External communication f. Other g. Don’t know 4) What measures has SBL taken to reduce potential redundancies in completing operational risk assessment (e.g. internal audit, risk management, compliance)? (Please select all that apply) a. Consolidated risk assessment activities b. Consolidated risk assessment functions c. Established template with common assessment questions d. One governance or oversight function e. Other f. None g. Don’t know 5) Does operational risk management system capture the interrelation between the various risks identified? (Please select all that apply) a. Yes, in a descriptive way b. Yes, in a quantitative way (e.g. correlations) c. Yes, other d. No e. Don’t know 6) At what time intervals is the operational risk assessment reviewed? (Please select all that apply) a. Ad hoc b. Monthly OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 46
  • 54. c. Quarterly d. Yearly e. With bank’s reporting cycle f. Other g. Don’t know 7) What information is collected as part of the operational risk assessment? (Please select all that apply) a. Risk description b. Risk owner c. Control description d. Impact e. Frequency f. Risk ranking g. Action plan if risk appetite/limit is breached h. Key risk indicators i. Risk appetite/Limit j. Other k. Don’t know 8) How is the operational risk function organized? (Please select all that apply) a. Embedded in the lines of business b. Centralized c. Both d. Other 9) Please rate the following statements on their level of significance to SBL operational risk program. (1= Not significant, 5= very significant, and 6=Don’t know) Scale OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 47
  • 55. 1. Communication with other departments 1 2 3 4 5 6 2. Risk Control self-assessment 1 2 3 4 5 6 3. Loss event management 1 2 3 4 5 6 4. Strategies risk assessment 1 2 3 4 5 6 5. Key risk assessment 1 2 3 4 5 6 6. Scenario analysis/stress testing 1 2 3 4 5 6 Thank you so much for your time. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 48
  • 56. References Authority, F. S., 1999. A paper by FDA Informal Working Party on Allocating Regulatory Capital for Operational Risk. s.l.:s.n. Cooper, P., 1999. Operational Risk - The Next Frontier. USA: British Bankers Association, s.l.: s.n. Crouchy, M. &. M. R., 2000. Operational Risk, in The Professional's Handbook of Financial Risk Management. s.l.:Oxford: Butterworth Heinemann. Davies, J. F. M. L. S., 1998. Defining and Aggregating Operational Risk Information in Operational Risk and Financial Institution. London: Risk Books. Davies, J. F. M. L. S., 1998. defining and Aggregating Operational Risk Information in Operational Risk And Financial Institution.. London: Risk Books. Donahoe, T., 1999. Role Playing. Some operational risk groups are struggling to make their remit clear: Operational Risk Special Report, s.l.: s.n. Hoffman, D., 1998. New Trends in Operational Risk Measurement and Management in Operational Risk and Financial Institutions. London: Risk Books. Katz, I., 1995. Financial Risk Manager. London: Euromoney Books. Kingsley, S., 1998. Operational Risk and Financial Institutions: Getting Started in Operational Risk and Financial Instituions. London: Risk Books. Laycock, M., 1998. Analysing of Mishhandling Losses and Processing Errors in Applications of Operational Risk and Financial Institutions. London: Risk Books. Mayland, P., 1993. Operational Credit Risk Assessing and Controlling Credit Risk in Bank Operating Services. USA: Probus Publishing. Rachlin, C., 1998. Operational Risk in Retail Banking: Promoting and Embedding Risk Awareness across Diverse Banking Groups in Operational Risk and Financial Institutions. London: Risk Books. Remenyi, D. &. H. A., 1996. Business Process re-engineering: Some aspects of how to evaluate and manage the risk exposure.. s.l.:International Journal of Project Management. Supervision, B. C. o. B., 1998. Operational Risk Management. s.l.:s.n. Williams, D., 2000. The Risk Factors of E-Commerce (Industry Trend or Event) , s.l.: Meridien Research Report. Wilson, D., 2000. Operational Risk in The Professional's Handbook of Financial Risk Management.. s.l.:s.n. OPERATIONAL RISK MANAGEMENT FRAMEWORK IN SONERI BANK 49

×