3 days taining course on ERP-EBS Modules along with
core competencies for zonal managers (OPS/ADMN)
Topic of the day:
Operations Risk Management
(Concept, Measurement and management
Risk classes and their
A Brief History of Operational Risk Management
• Taking the opportunity out of risk and taking the risk out of
opportunity is natural. However, making that process explicit,
systematic and logical – risk management – only really began
with the coming of probability mathematics
• Since then areas and industries lending themselves to
quantitative analysis have devised increasingly sophisticated
mathematics and methodologies to determine the likelihood,
impact and exposure to risks. Where data is available the
results have been largely successful, but by definition the
outcome of risk management is uncertain
• Further uncertainty arises in the area of operational risk due
to the value of economic intangibles such as goodwill, and the
volatility of interrelationships amongst the factors
determining each aspect of risk and opportunity.
• Given these features, risk management remains more of an
art than a science, despite the growing body of literature
classified as risk management
• In the United States the loss of the Challenger space vehicle
and collapse of thrifts had an impact; in New Zealand it was
the collapse of the scenic Cave Creek viewing platform. While
these events were sufficiently shocking at a national level to
promote the advent of recognized operational risk
management processes, at an organization level
• With the rising awareness and recognition of operational risk
management as such, various generic standards were
published. These have been successful in providing a
reference against which individual organizations can compare
their own methodologies
• It is increasingly recognized that a systematic evaluation
process will improve risk management approach
• The process of developing, implementing and supervising
operational risk management in banks is evolving and
incomplete, however, its institutionalization had been arise as a
category of regulatory and managerial attention
• Basel 2 make the connections between the management of
operational risk and good corporate governance in such a way as
to position old risks in new space
• The term ‘operational risk’ has been coined in 1991
• Later Barings and other scandals such as Daiwa, construct the
history of operational risk management
• The emerging risk management agenda is necessarily grafted on to
the existing technical agendas of different operational groups
• Operational risk and the Basel 2 reforms create a new competitive
space for various control agents inside financial organizations
, who re-launch what they do in the name of operational risk
• ‘Operational risk is being the risk of losses resulting
from inadequate or failed processes, people and
systems or from external events’
• ‘Operational risk is the risk that deficiencies in
information system or internal controls will result in
unexpected loss, the risk is associated with human
error, systems failure and inadequate procedures or
• Operational risk is the risk of adverse impact to
business as a consequence of conducting it in an
improper or inadequate manner and may result
from external factors”
• Risk appetite: The point of balance between risk and reward at which a
decision maker feels most comfortable.
• Exposure (residual risk): Risks remaining after risk treatments have been
• Inherent Risk: Risks intrinsic to a given situation prior to the application of
any alleviating or aggravating treatment.
• Likelihood: A value assigned to the probability or frequency with which a
potential event is estimated to occur.
• Opportunity: A potential event deemed to have a positive effect on an
• Risk: A potential event deemed to have an adverse effect on an
• Risk Assessment: A systematic process of analysis and evaluation of risks
• Risk Management: The systematic and conscious
understanding, organization and treatment of risks and opportunities.
• Uncertainty: Context in which an event occurs with some probability, the
distribution of which is unknown
• Operational Risk Management: The systematic assessment
and management of the trade-offs made between risk and
opportunity to run an efficient and effective organization.
• System risk: The risk that a failure of a single institution could
create failures elsewhere in the system because of the
interconnectedness of transactions and institutions
• Operational Risk Event (ORE) : is defined as a failure of
internal processes, people or systems, or a result of external
• Treatment: Conscious action in relation to a risk or
Reject (walk away).
Transfer (split the risk with another party).
Accept (take the risks & opportunities as they come).
Optimize (reconfigure strategy, operations, culture, etc to
maximize opportunity and/or minimize risk).
• Operational risk can be captured in five major
The 5 suggested categories are major and they
present a valid base for solving problems for
• Organization: risks arising from such issues as change
management, project management, corporate culture and
communication, responsibilities, allocation and business
• Policy and Process: risks arising from weaknesses in
processes such as settlement and payment, non-compliance
with internal policies or external regulation or failures in
products or client dealings.
• Technology: risks arising from defective hard- or
software, failures in other technology such as networks or
telecommunications, as well as breaches in IT security.
• Human: risks arising from failure of
employees, employer, conflict of interest or from other
internal fraudulent behavior.
• External: risks arising from fraud or litigation by parties
external to the firm, as well as lack of physical security for the
institution and its representatives.
• Reputation risk: The aggregation of the outcome of all
risks plus other internal and external factors.
Reputation is the outcome of the mix of doing the right
thing and doing things right over an extended period.
• Strategy risk: It deals with the existing base of a bank
and its options, based on a what-if analysis. Strategy is
doing the right thing at the right time. It is not so much
the strategy, but implementation which in turn is
• Operational Risk: Defined as the risk of loss or
reputational damage resulting from inadequate or
failed internal processes, people and systems or from
Dimensions of Risk Management
Risk management can add value and represent a valid business
case in two dimensions:
• Control: Independent risk assessment, compliance, business
continuity planning, supervisory
requirements, limits, progress
reporting, escalation, corrections, etc. it covers the following:
avoiding accidents, catching non-compliance and illegal
actions, complying with rules and regulations, complying with
usual management needs.
• Shareholder value creation: efficiency, correct risk evaluation
and pricing, duplicate control avoidance, rational economic
capital allocation, reduction of regulatory capital, product
enhancements, competitive strategic advantage, improved
reputation, etc. it adds a further stage which treats
Operational Risk more like a real business. Operational Risk
management also gets close to quality
management, efficiency management and the concept of
The data challenge
• Management of operations has always used some
sort of tools to identify, assess, control and manage
Operational Risk in its day-to-day specific area of
activity. With the increased awareness of senior
management for risks in general and for
Operational Risk in particular, these tools have
received closer attention.
• No one tool on its own is sufficient; each has its
limitations. "Synchronization" of the tools combined
with previously discussed, more high level
approaches of general management - including
audits and compliance measures - is the issue. Such
an approach leads to integrated risk management.
Practical instruments and tools
1. Control and Risk Self-Assessment (CRSA) is a work team-based technique to
help managers identify and measure Operational Risk through estimates
based on the consensus opinion of a group of knowledgeable managers and
staff. The ultimate objective of this process is to foster the
identification, assessment and mitigation of Operational Risk.
• Management must clarify the relationship between the organization's
primary corporate objectives and the specific business line objectives for
each participating unit. These objectives can include diverse areas, as well
as diverse practical applications for every department and every employee
• The objectives are analyzed in terms of:
Threats - events that could prevent the achievement of an objective
Controls - activities that provide additional assurance that objectives are met
Agreed residual risk - the real or possible events or situations where a
business/quality objective is not being met or may not be met given the
controls in use/place.
The information on threats, controls and risks is captured for each business
objective. The information is then documented, summarized and reported
to senior management. Due to the dynamic nature of a firm's risk
profile, CRSA findings should periodically be updated.
2. Impact & Frequency Scorecard: In particular
Operational Risk events that are identified as having
potentially significant impact can be isolated for
further analysis which may include frequency
estimator and investigative study. Based on the fact
findings from these analytical tools, appropriate
management response can then be deployed.
Following examples will explain these tools
Impact scoring system (example) cont….
• Impact scoring system example
3. Risk and Process Mapping: Operational Risk mapping
is based on self-assessment / perception survey and is a
qualitative technique to identify, categorize, analyze
• Specific risks against a standard template
• Controls or other tactics to manage identified risks
• Residual risks and desired levels of residual risks
• Responsibility for management of identified risks
Process or activity mapping is a technique employed to
describe business processes in a clear, visible way. In
the context of OpRisk, it is designed to provide a
reflection of the diverse activities that take place within
the departments, identifying risk drivers and controls.
4. Operational Risk Dashboard
Operational Risk Dashboard is intended to provide
senior management with a simple overview of
operational risk levels and directional trends at the
highest reporting aggregation level per business
unit. The dashboard works on the traffic light
principle, grading category-aggregated risk per BU
by colour. Risk indicators aggregated to categories
as BU specific composites or via group-wide sub
categories are evaluated and given a weighting
which contributes to the overall Operational Risk
category risk grade.
5. Loss Event Database:
A loss event database captures and accumulates
individual loss events across business units and
risk types. A loss event database is the only tool
which measures, quantifies and provides
financial Operational Risk data. An established
and complete database can potentially be used
for modeling purposes and be applied to external
1. Factor-derived Models:
These models apply causal factors to build a
prediction of the LEVEL of RISK. They tend to
produce a figure for the relative future value of the
causal factors on Operational Risk, but not
necessarily of the operational LOSS amount. They
are also considered to be only partially
representative of Operational Risk root causes.
For example, they would use a combination of error
rates, failed reconciliations, employee training
expenditure, staff turnover, indicators of the IT
system complexity, indicators for the quality of
governance, etc. to project a level of OpRisk.
2. Indicator based Models:
An indicator-based quantification as a possible
method for the quantification of Operational Risk
and the corresponding regulatory capital allocation.
The level of Operational Risk is identified by a
multiple of a simple observable indicator or a
combination thereof. Suggested indicators include:
gross revenues, fee income, operating
costs, managed assets or total assets adjusted for
off-balance sheet exposures.
3. Statistical / Actuarial / Simulation-based Models
These models use actual loss data to construct representations of
operational loss frequencies and severity in the form of statistical
probability distributions. To do this, they require many data points
and have to rely on the existence of complete Operational Risk
Simulation-based quantification models are very popular in the
literature on Operational Risk, particularly the actuarial inspired
Monte Carlo simulation technique.44 The prime reason for this is
that they allow filling the data gap prevailing in Operational Risk
for low probability events.
The flaw is that the present state of Operational Risk data does not
allow for any backtesting of the correctness of the generated
distribution. In addition, slight changes in the environment, due to
the high context dependency of Operational Risk, will have a
significant impact on the generated distribution. These would
require reviewing the entire underlying simulation setting.
4. Loss-Scenario / Qualitative Assessment Models
These models produce a subjective loss estimate for a given time
horizon (say one year) and confidence level (say 99%), based on
the experience and expertise of key managers. Weaker assessment
forms could just require ranking of the Operational Risk level for
each elements of a risk map or checklist.
Qualitative assessment models have been put forward, as they are
particularly well suited for tackling both the frequent in
observability of Operational Risk and its high context dependency.
A purely qualitative assessment can also be turned into a
Such methods have the advantage of enhancing transparency of the
CHANGE of Operational Risk. They also allow a proactive
management of the level of Operational Risk. However, as they
rely on the subjective judgment of experts, they are only
appropriate for a crude quantification of the Operational Risk
economic capital level and Operationa lRisk capital allocation.
The data challenge
• Data availability is a precondition. Activities only turn into data, if
they are recorded in a form which can be retrieved at a later stage.
• The operational risk data should be available in ‘frequency’ and
‘level of detail’
• Operational Risk data should systematically collected for all
departments, business lines or clusters
• Many risk areas just cannot be measured. They require judgment.
Accordingly, two types of data, qualitative data and quantitative
data must be distinguished.
• it is extremely important that the information to be captured in
the data is clearly defined, in terms of content, feature, unit. This
is a precondition for standardization and tracking possible failures
of reporting, formats, etc.
• Structured data is a key rule to success: discipline is required in
allocating tags to Operational Risk data such as definition, time-
, source-, organization-, frequency - references, etc. to be able to
make use of them.
• it possible for data points to be combined in a reliable and
credible database system and turn them into real
• Data quality and its consistency over time is the issue.
• Consistency of statistics is core
• Relevance has to be ensured. Times do change. New
environments, new products are put in place. Constant
surveys and checks of the type of data being used must be
performed to avoid "white noise" or unrealistic indicators.
• Pollution of databases happens. Polluted and fake data
produce not only incorrect or incomplete but also misleading
• Without maintenance, a database engine cannot run. Data
must consistently be reported, loaded and updated.
Quantification of operational risks
In this exercise, we will look whether it is possible to measure
each element of Operational Risk separately or whether only
a qualitative assessment can be performed.
Quantification / measurement generally involves looking at four
aspects of a phenomenon within an organization:
• Its size, severity or intensity
• Its frequency
• Its context dependency: different in different situations
• Its interaction - contagion/correlation - with other events
Size describes the observed extent of a move.
Frequency describes the number of times a move of a given size
occurs within say a given time period or a given organizational
Context dependency describes whether the move size is
different in different situations or not.
The lower the observability of moves in terms of size and
frequency and the higher their context dependency and
interaction, the more difficult it will be to measure the
Operational Risk sub-category. In such cases a qualitative
assessment offers the best alternative for quantification.
"Technology" and "external risks" should allow for a database
based quantification, similar to the one performed for market
or credit risk.
"Organization, policy and process", however, only permit a
quantification based on qualitative assessments.
Given the challenge that only relatively few elements in
Operational Risk are credibly measurable and quantifiable, it
is essential on the management level not to make the
measurable important, but the important measurable.
Modern IT-systems lead to New Processes. The pressure
from everywhere to invest continuously and
dramatically - including in the interest of risk reduction
- in modern processes is immense.
Integrated IT networks are central, especially for a global
institution. Internet related technologies enable much
higher and more sophisticated levels of co-
ordination, globality, efficiency and flexibility.
However, they open the door for chaos and risks if they
are not consistent, structured, harmonized and stable
The new technologies lead to unique opportunities to
modify and/or overhaul business processes as to
workflow, service delivery and risk reduction
• Check Point Risk Management Software
It is a software solution that allows efficient operational risk management in
order to improve business processes and performance as well as simplifying
• Business Unit documentation
• Process documentation and flowcharting
• Risk analysis based on impact / likelihood assessment
• Quantitative analysis using frequency and severity using Monte Carlo
• Control identification and testing
• Residual risk auto-calculation
• Document and manage incidents / losses
• Action plans and tasks
• Automated alerts
• User-definable reports
• Interactive and drill-down dynamic dashboards
• Access and data control based on permissions
Principles of Operational Risk
Stages of Operational Risk
Organizational models for
Frameworks for Operational Risk
Principles of Operational Risk Management
• There are 12 Golden Rules in Risk Management. They are the
result of observations and adjustments over the years and
apply to Operational Risk aspects as well.
1. Risk is uncertainty about future results.
2. The 6 S's for the systematic mental discipline of an
organization: the logical sequence. Strategy structure
system systems safety speed
3. Clear structure, allocation of responsibility and
accountability and discipline are basic preconditions.
4. Rigorous measures in case of non-compliance/breaches.
5. Completeness, integrity and relevance of
data/systems/information as a basis.
6. Risk management is a tenacious process not a program.
7. Risk management is part art, part science.
8. Models are always only part of an overall risk management
approach and must include common sense.
9. Complexity is the enemy of speed and responsiveness: try
hard for simplicity.
10. Self-management and leadership with regard to a culture of
open communication based on "experience" and know-how
are increasingly challenging: Ban knowledge-hoarders and
turn knowledge-givers into heroes as part of
11. Responsible control/compliance/risk culture is as important
as the most sophisticated quantification.
12. Successful risk management is primarily the result of the
capacity, aptitude and attitude of the people involved: people
shape the culture, reputation and brand equity.
Implementing Operational Risk management implies
the progression through the following four stages
Meridien Research approximates the lead time for
Stage 1 to Stage 4 with a minimum of 2 - 3 years,
depending on the complexity and the size of an
organization. The research indicates that most of
the Top 500 financial institutions worldwide are still
in stage 1 and 2. A handful has attained Stages 3
Organizational models for managing risks
A survey has identified 3 generic organizational
models for Operational Risk management:
• __A Head Office Operational Risk function
• __A dedicated but decentralized support
• __Internal Audit playing a lead role in Operational
• Audit driven Operational Risk Management
It is self-evident that auditing and controlling activities are not
reporting to those who are audited
Internal and external audits play a very relevant role, especially
in the Operational Risk arena. It is true that many
conventional audits are more control-oriented or
concentrating on symptoms. However, forward looking and
diligent audit reports are an excellent base for operational
improvements and reduction or elimination of Operational
Risk: From ex-post assessments to ex-ante improvements.
The audit driven approach is the most pragmatic and readily
implementable approach in Operational Risk management. As
important as the audit reports themselves are the
corresponding follow-ups and corrective actions by those
There is no commonly accepted benchmark or model as to the
methodology of managing Operational Risk. As to be expected in the
art of management, there are arguments for both top-down and
bottom-up approaches in Operational Risk management.
Frameworks for Operational Risk Management
A common framework for Operational Risk
management for banks which has emerged recently
includes integrated processes, tools and mitigation
strategies. This framework has 6 components
Three main objectives and roles of the internal control
• Efficiency and effectiveness of activities
• Reliability, completeness and timeliness of financial
and management information (information
• Compliance with applicable laws and regulations
Internal control consists of 5 interrelated elements:
• Management oversight and the control culture
• Risk recognition and assessment
• Control activities and segregation of duties
• Information and communication
• Monitoring activities and correcting deficiencies
An appropriate control and compliance culture is part
of the risk culture. This "cultural aspect“ needs
close and continued attention by senior
management. "Culture" is qualitative. It cannot be
quantified or modeled.
Operational Risk Control: 12 General Rules as a Check List
1. Have a control environment and a compliance culture
which accepts internal supervision
2. Regulators' standards are continuously being raised
3. Map regulatory requirements directly to compliance
4. Organize the activities so that they can be controlled
5. Construct procedures relevant for the concrete activity
6. Document the procedures and maintain the relevant
7. Train management and staff
8. Special attention for control procedures
9. Compliance plays an increasingly core role for OpRisk
10. E-commerce presents a new control/compliance challenge
11. Supervisory board and senior management have an
increasing responsibility for controls and compliance: from
back to board room
• 12. Procedures should ideally have the following
Single document as to rules and requirements
Structured along the activity flow
Clear: so someone else can pick it up; see staff turnover, role of
Instructing: what is to be done in case of......
Teachable: so it can be used as a training aid
Implementable: use simple check lists
“Our lives improve only when we take chances- and
most difficult risk we can take is to be honest with