Risk management ppt 111p (training module)


Published on

Published in: Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk management ppt 111p (training module)

  1. 1. Introduction Instructor: Sadia Razzaq 3 days taining course on ERP-EBS Modules along with core competencies for zonal managers (OPS/ADMN) Topic of the day: Operations Risk Management (Concept, Measurement and management techniques)
  2. 2. Layout • Concepts • Measurements • Management techniques
  3. 3. Concepts Historical perspective Definitions Key terminologies Categories Risk classes and their interconnections Dimensions
  4. 4. A Brief History of Operational Risk Management • Taking the opportunity out of risk and taking the risk out of opportunity is natural. However, making that process explicit, systematic and logical – risk management – only really began with the coming of probability mathematics • Since then areas and industries lending themselves to quantitative analysis have devised increasingly sophisticated mathematics and methodologies to determine the likelihood, impact and exposure to risks. Where data is available the results have been largely successful, but by definition the outcome of risk management is uncertain • Further uncertainty arises in the area of operational risk due to the value of economic intangibles such as goodwill, and the volatility of interrelationships amongst the factors determining each aspect of risk and opportunity.
  5. 5. Cont…. • Given these features, risk management remains more of an art than a science, despite the growing body of literature classified as risk management • In the United States the loss of the Challenger space vehicle and collapse of thrifts had an impact; in New Zealand it was the collapse of the scenic Cave Creek viewing platform. While these events were sufficiently shocking at a national level to promote the advent of recognized operational risk management processes, at an organization level • With the rising awareness and recognition of operational risk management as such, various generic standards were published. These have been successful in providing a reference against which individual organizations can compare their own methodologies • It is increasingly recognized that a systematic evaluation process will improve risk management approach
  6. 6. Cont…. • The process of developing, implementing and supervising operational risk management in banks is evolving and incomplete, however, its institutionalization had been arise as a category of regulatory and managerial attention • Basel 2 make the connections between the management of operational risk and good corporate governance in such a way as to position old risks in new space • The term ‘operational risk’ has been coined in 1991 • Later Barings and other scandals such as Daiwa, construct the history of operational risk management • The emerging risk management agenda is necessarily grafted on to the existing technical agendas of different operational groups • Operational risk and the Basel 2 reforms create a new competitive space for various control agents inside financial organizations , who re-launch what they do in the name of operational risk management
  7. 7. Definitions • ‘Operational risk is being the risk of losses resulting from inadequate or failed processes, people and systems or from external events’ • ‘Operational risk is the risk that deficiencies in information system or internal controls will result in unexpected loss, the risk is associated with human error, systems failure and inadequate procedures or controls’ • Operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may result from external factors”
  8. 8. Key Terminologies • Risk appetite: The point of balance between risk and reward at which a decision maker feels most comfortable. • Exposure (residual risk): Risks remaining after risk treatments have been applied. • Inherent Risk: Risks intrinsic to a given situation prior to the application of any alleviating or aggravating treatment. • Likelihood: A value assigned to the probability or frequency with which a potential event is estimated to occur. • Opportunity: A potential event deemed to have a positive effect on an organization. • Risk: A potential event deemed to have an adverse effect on an organization. • Risk Assessment: A systematic process of analysis and evaluation of risks and opportunities. • Risk Management: The systematic and conscious understanding, organization and treatment of risks and opportunities. • Uncertainty: Context in which an event occurs with some probability, the distribution of which is unknown
  9. 9. Cont…. • Operational Risk Management: The systematic assessment and management of the trade-offs made between risk and opportunity to run an efficient and effective organization. • System risk: The risk that a failure of a single institution could create failures elsewhere in the system because of the interconnectedness of transactions and institutions • Operational Risk Event (ORE) : is defined as a failure of internal processes, people or systems, or a result of external events. • Treatment: Conscious action in relation to a risk or opportunity:  Reject (walk away).  Transfer (split the risk with another party).  Accept (take the risks & opportunities as they come).  Optimize (reconfigure strategy, operations, culture, etc to maximize opportunity and/or minimize risk).
  10. 10. Categories • Operational risk can be captured in five major categories: Organization Policy/Process Technology Human External The 5 suggested categories are major and they present a valid base for solving problems for management.
  11. 11. Cont…. • Organization: risks arising from such issues as change management, project management, corporate culture and communication, responsibilities, allocation and business continuity planning. • Policy and Process: risks arising from weaknesses in processes such as settlement and payment, non-compliance with internal policies or external regulation or failures in products or client dealings. • Technology: risks arising from defective hard- or software, failures in other technology such as networks or telecommunications, as well as breaches in IT security. • Human: risks arising from failure of employees, employer, conflict of interest or from other internal fraudulent behavior. • External: risks arising from fraud or litigation by parties external to the firm, as well as lack of physical security for the institution and its representatives.
  12. 12. Risk classes and their interconnections
  13. 13. Cont… • Reputation risk: The aggregation of the outcome of all risks plus other internal and external factors. Reputation is the outcome of the mix of doing the right thing and doing things right over an extended period. • Strategy risk: It deals with the existing base of a bank and its options, based on a what-if analysis. Strategy is doing the right thing at the right time. It is not so much the strategy, but implementation which in turn is Operational risk • Operational Risk: Defined as the risk of loss or reputational damage resulting from inadequate or failed internal processes, people and systems or from external events.
  14. 14. Dimensions of Risk Management Risk management can add value and represent a valid business case in two dimensions: • Control: Independent risk assessment, compliance, business continuity planning, supervisory requirements, limits, progress reporting, escalation, corrections, etc. it covers the following: avoiding accidents, catching non-compliance and illegal actions, complying with rules and regulations, complying with usual management needs. • Shareholder value creation: efficiency, correct risk evaluation and pricing, duplicate control avoidance, rational economic capital allocation, reduction of regulatory capital, product enhancements, competitive strategic advantage, improved reputation, etc. it adds a further stage which treats Operational Risk more like a real business. Operational Risk management also gets close to quality management, efficiency management and the concept of opportunity cost.
  15. 15. Measurements Practical instruments and tools Models The data challenge Quantification of operational Risks Software use
  16. 16. • Management of operations has always used some sort of tools to identify, assess, control and manage Operational Risk in its day-to-day specific area of activity. With the increased awareness of senior management for risks in general and for Operational Risk in particular, these tools have received closer attention. • No one tool on its own is sufficient; each has its limitations. "Synchronization" of the tools combined with previously discussed, more high level approaches of general management - including audits and compliance measures - is the issue. Such an approach leads to integrated risk management.
  17. 17. Practical instruments and tools 1. Control and Risk Self-Assessment (CRSA) is a work team-based technique to help managers identify and measure Operational Risk through estimates based on the consensus opinion of a group of knowledgeable managers and staff. The ultimate objective of this process is to foster the identification, assessment and mitigation of Operational Risk. • Management must clarify the relationship between the organization's primary corporate objectives and the specific business line objectives for each participating unit. These objectives can include diverse areas, as well as diverse practical applications for every department and every employee function. • The objectives are analyzed in terms of:  Threats - events that could prevent the achievement of an objective  Controls - activities that provide additional assurance that objectives are met  Agreed residual risk - the real or possible events or situations where a business/quality objective is not being met or may not be met given the controls in use/place. The information on threats, controls and risks is captured for each business objective. The information is then documented, summarized and reported to senior management. Due to the dynamic nature of a firm's risk profile, CRSA findings should periodically be updated.
  18. 18. Cont… 2. Impact & Frequency Scorecard: In particular Operational Risk events that are identified as having potentially significant impact can be isolated for further analysis which may include frequency estimator and investigative study. Based on the fact findings from these analytical tools, appropriate management response can then be deployed. Following examples will explain these tools
  19. 19. Impact scoring system (example) cont…. • Impact scoring system example
  20. 20. Frequency estimator (example)cont…
  21. 21. Cont…. 3. Risk and Process Mapping: Operational Risk mapping is based on self-assessment / perception survey and is a qualitative technique to identify, categorize, analyze and assign: • Specific risks against a standard template • Controls or other tactics to manage identified risks • Residual risks and desired levels of residual risks • Responsibility for management of identified risks Process or activity mapping is a technique employed to describe business processes in a clear, visible way. In the context of OpRisk, it is designed to provide a reflection of the diverse activities that take place within the departments, identifying risk drivers and controls.
  22. 22. Risk and Process Mapping (example) cont..
  23. 23. Cont… 4. Operational Risk Dashboard Operational Risk Dashboard is intended to provide senior management with a simple overview of operational risk levels and directional trends at the highest reporting aggregation level per business unit. The dashboard works on the traffic light principle, grading category-aggregated risk per BU by colour. Risk indicators aggregated to categories as BU specific composites or via group-wide sub categories are evaluated and given a weighting which contributes to the overall Operational Risk category risk grade.
  24. 24. Operational Risk Dashboard(example)cont…
  25. 25. Cont…. 5. Loss Event Database: A loss event database captures and accumulates individual loss events across business units and risk types. A loss event database is the only tool which measures, quantifies and provides financial Operational Risk data. An established and complete database can potentially be used for modeling purposes and be applied to external loss events.
  26. 26. Models 1. Factor-derived Models: These models apply causal factors to build a prediction of the LEVEL of RISK. They tend to produce a figure for the relative future value of the causal factors on Operational Risk, but not necessarily of the operational LOSS amount. They are also considered to be only partially representative of Operational Risk root causes. For example, they would use a combination of error rates, failed reconciliations, employee training expenditure, staff turnover, indicators of the IT system complexity, indicators for the quality of governance, etc. to project a level of OpRisk.
  27. 27. Cont… 2. Indicator based Models: An indicator-based quantification as a possible method for the quantification of Operational Risk and the corresponding regulatory capital allocation. The level of Operational Risk is identified by a multiple of a simple observable indicator or a combination thereof. Suggested indicators include: gross revenues, fee income, operating costs, managed assets or total assets adjusted for off-balance sheet exposures.
  28. 28. Cont… 3. Statistical / Actuarial / Simulation-based Models These models use actual loss data to construct representations of operational loss frequencies and severity in the form of statistical probability distributions. To do this, they require many data points and have to rely on the existence of complete Operational Risk databases. Simulation-based quantification models are very popular in the literature on Operational Risk, particularly the actuarial inspired Monte Carlo simulation technique.44 The prime reason for this is that they allow filling the data gap prevailing in Operational Risk for low probability events. The flaw is that the present state of Operational Risk data does not allow for any backtesting of the correctness of the generated distribution. In addition, slight changes in the environment, due to the high context dependency of Operational Risk, will have a significant impact on the generated distribution. These would require reviewing the entire underlying simulation setting.
  29. 29. Cont… 4. Loss-Scenario / Qualitative Assessment Models These models produce a subjective loss estimate for a given time horizon (say one year) and confidence level (say 99%), based on the experience and expertise of key managers. Weaker assessment forms could just require ranking of the Operational Risk level for each elements of a risk map or checklist. Qualitative assessment models have been put forward, as they are particularly well suited for tackling both the frequent in observability of Operational Risk and its high context dependency. A purely qualitative assessment can also be turned into a quantification method. Such methods have the advantage of enhancing transparency of the CHANGE of Operational Risk. They also allow a proactive management of the level of Operational Risk. However, as they rely on the subjective judgment of experts, they are only appropriate for a crude quantification of the Operational Risk economic capital level and Operationa lRisk capital allocation.
  30. 30. The data challenge • Data availability is a precondition. Activities only turn into data, if they are recorded in a form which can be retrieved at a later stage. • The operational risk data should be available in ‘frequency’ and ‘level of detail’ • Operational Risk data should systematically collected for all departments, business lines or clusters • Many risk areas just cannot be measured. They require judgment. Accordingly, two types of data, qualitative data and quantitative data must be distinguished. • it is extremely important that the information to be captured in the data is clearly defined, in terms of content, feature, unit. This is a precondition for standardization and tracking possible failures of reporting, formats, etc. • Structured data is a key rule to success: discipline is required in allocating tags to Operational Risk data such as definition, time- , source-, organization-, frequency - references, etc. to be able to make use of them.
  31. 31. Cont… • it possible for data points to be combined in a reliable and credible database system and turn them into real information. • Data quality and its consistency over time is the issue. • Consistency of statistics is core • Relevance has to be ensured. Times do change. New environments, new products are put in place. Constant surveys and checks of the type of data being used must be performed to avoid "white noise" or unrealistic indicators. • Pollution of databases happens. Polluted and fake data produce not only incorrect or incomplete but also misleading indicators. • Without maintenance, a database engine cannot run. Data must consistently be reported, loaded and updated.
  32. 32. Quantification of operational risks In this exercise, we will look whether it is possible to measure each element of Operational Risk separately or whether only a qualitative assessment can be performed. Quantification / measurement generally involves looking at four aspects of a phenomenon within an organization: • Its size, severity or intensity • Its frequency • Its context dependency: different in different situations • Its interaction - contagion/correlation - with other events Size describes the observed extent of a move. Frequency describes the number of times a move of a given size occurs within say a given time period or a given organizational unit. Context dependency describes whether the move size is different in different situations or not.
  33. 33. Cont…. The lower the observability of moves in terms of size and frequency and the higher their context dependency and interaction, the more difficult it will be to measure the Operational Risk sub-category. In such cases a qualitative assessment offers the best alternative for quantification. "Technology" and "external risks" should allow for a database based quantification, similar to the one performed for market or credit risk. "Organization, policy and process", however, only permit a quantification based on qualitative assessments. Given the challenge that only relatively few elements in Operational Risk are credibly measurable and quantifiable, it is essential on the management level not to make the measurable important, but the important measurable.
  34. 34. Software Solution Modern IT-systems lead to New Processes. The pressure from everywhere to invest continuously and dramatically - including in the interest of risk reduction - in modern processes is immense. Integrated IT networks are central, especially for a global institution. Internet related technologies enable much higher and more sophisticated levels of co- ordination, globality, efficiency and flexibility. However, they open the door for chaos and risks if they are not consistent, structured, harmonized and stable over time. The new technologies lead to unique opportunities to modify and/or overhaul business processes as to workflow, service delivery and risk reduction
  35. 35. Cont…. • Check Point Risk Management Software It is a software solution that allows efficient operational risk management in order to improve business processes and performance as well as simplifying regulatory compliance. Features: • Business Unit documentation • Process documentation and flowcharting • Risk analysis based on impact / likelihood assessment • Quantitative analysis using frequency and severity using Monte Carlo simulations • Control identification and testing • Residual risk auto-calculation • Document and manage incidents / losses • Action plans and tasks • Automated alerts • User-definable reports • Interactive and drill-down dynamic dashboards • Access and data control based on permissions
  36. 36. Management techniques Principles of Operational Risk Management Stages of Operational Risk Management Organizational models for managing risks Frameworks for Operational Risk Management Internal Control
  37. 37. Principles of Operational Risk Management • There are 12 Golden Rules in Risk Management. They are the result of observations and adjustments over the years and apply to Operational Risk aspects as well. 1. Risk is uncertainty about future results. 2. The 6 S's for the systematic mental discipline of an organization: the logical sequence. Strategy structure system systems safety speed 3. Clear structure, allocation of responsibility and accountability and discipline are basic preconditions. 4. Rigorous measures in case of non-compliance/breaches. 5. Completeness, integrity and relevance of data/systems/information as a basis. 6. Risk management is a tenacious process not a program.
  38. 38. Cont… 7. Risk management is part art, part science. 8. Models are always only part of an overall risk management approach and must include common sense. 9. Complexity is the enemy of speed and responsiveness: try hard for simplicity. 10. Self-management and leadership with regard to a culture of open communication based on "experience" and know-how are increasingly challenging: Ban knowledge-hoarders and turn knowledge-givers into heroes as part of evaluation/incentive process. 11. Responsible control/compliance/risk culture is as important as the most sophisticated quantification. 12. Successful risk management is primarily the result of the capacity, aptitude and attitude of the people involved: people shape the culture, reputation and brand equity.
  39. 39. Stages of Operational Risk Management
  40. 40. Cont… Implementing Operational Risk management implies the progression through the following four stages Meridien Research approximates the lead time for Stage 1 to Stage 4 with a minimum of 2 - 3 years, depending on the complexity and the size of an organization. The research indicates that most of the Top 500 financial institutions worldwide are still in stage 1 and 2. A handful has attained Stages 3 and 4;
  41. 41. Organizational models for managing risks A survey has identified 3 generic organizational models for Operational Risk management: • __A Head Office Operational Risk function • __A dedicated but decentralized support • __Internal Audit playing a lead role in Operational Risk management.
  42. 42. Cont… • Audit driven Operational Risk Management It is self-evident that auditing and controlling activities are not reporting to those who are audited Internal and external audits play a very relevant role, especially in the Operational Risk arena. It is true that many conventional audits are more control-oriented or concentrating on symptoms. However, forward looking and diligent audit reports are an excellent base for operational improvements and reduction or elimination of Operational Risk: From ex-post assessments to ex-ante improvements. The audit driven approach is the most pragmatic and readily implementable approach in Operational Risk management. As important as the audit reports themselves are the corresponding follow-ups and corrective actions by those concerned.
  43. 43. Cont… There is no commonly accepted benchmark or model as to the methodology of managing Operational Risk. As to be expected in the art of management, there are arguments for both top-down and bottom-up approaches in Operational Risk management.
  44. 44. Frameworks for Operational Risk Management A common framework for Operational Risk management for banks which has emerged recently includes integrated processes, tools and mitigation strategies. This framework has 6 components
  45. 45. Internal control Three main objectives and roles of the internal control framework: • Efficiency and effectiveness of activities (performance objectives) • Reliability, completeness and timeliness of financial and management information (information objectives) • Compliance with applicable laws and regulations (compliance objectives)
  46. 46. Cont…. Internal control consists of 5 interrelated elements: • Management oversight and the control culture • Risk recognition and assessment • Control activities and segregation of duties • Information and communication • Monitoring activities and correcting deficiencies An appropriate control and compliance culture is part of the risk culture. This "cultural aspect“ needs close and continued attention by senior management. "Culture" is qualitative. It cannot be quantified or modeled.
  47. 47. Cont… Operational Risk Control: 12 General Rules as a Check List 1. Have a control environment and a compliance culture which accepts internal supervision 2. Regulators' standards are continuously being raised 3. Map regulatory requirements directly to compliance control. 4. Organize the activities so that they can be controlled 5. Construct procedures relevant for the concrete activity 6. Document the procedures and maintain the relevant documents 7. Train management and staff 8. Special attention for control procedures 9. Compliance plays an increasingly core role for OpRisk control
  48. 48. Cont…. 10. E-commerce presents a new control/compliance challenge 11. Supervisory board and senior management have an increasing responsibility for controls and compliance: from back to board room • 12. Procedures should ideally have the following characteristics:  Single document as to rules and requirements  Structured along the activity flow  Comprehensive  Clear: so someone else can pick it up; see staff turnover, role of temps and  Consultants  Instructing: what is to be done in case of......  Teachable: so it can be used as a training aid  Implementable: use simple check lists  Auditable
  49. 49. The End “Our lives improve only when we take chances- and most difficult risk we can take is to be honest with ourselves” Walter Anderson