Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
THE KEY RISK INDICATORS: A
WORKING EXAMPLE
Dr. Zakaria Salah
2015
OperationalRiskManagement OPERATIONAL RISK
 Operational risk is defined as “the risk of losses
resulting from operational...
OperationalRiskManagement OPERATIONAL RISK LOSSES
 John Rusnak and Allied Irish Bank – fraud
 Bank of Credit and Commerc...
OperationalRiskManagement OPERATIONAL RISK GOVERNANCE AND
STRUCTURE
2 13
OperationalRiskManagement WHAT ARE THE APPLE & WHAT IS THE FORKS AND
HOW MANY FORKS?
OperationalRiskManagement KEY INDICATORS
Key Indicators
Key Control Effectiveness
Indicators
KCIs
Key
Performance
indicato...
OperationalRiskManagement KEY RISK INDICATORS (KRIS)
 KRIs, as the name suggests, are indicators over the key
risks to wh...
OperationalRiskManagement KEY RISK INDICATOR (KRIS)
 Developing KRIs is a prerequisite for effective risk
management.
 U...
OperationalRiskManagement KEY RISK INDICATORS
 The risk indicator has to have an explicit relationship to the
specific ri...
OperationalRiskManagement KEY RISK INDICATORS
KRIs are focused primarily on identifying and tracking
current risk.
Objec...
OperationalRiskManagement PROCESS TO IDENTIFY KRIS
Identify and analyse a business process (process flow analysis).
Perfor...
OperationalRiskManagement
• KRIs primarily track components of a risk story that has
already commenced. The occurrence of ...
OperationalRiskManagement HOW DO YOU IDENTIFY KRIS
People risk
Define Risk category
Inability to
recruit
Inability to
reta...
OperationalRiskManagement SETTING THRESHOLDS FOR THE KRI
 A key risk indicator for monitoring and responding to “loss of ...
OperationalRiskManagement INFORMATION THAT CAN HELP TO IDENTIFY
SIGNIFICANT RISKS
 Historical internal & external loss ev...
OperationalRiskManagement CONSIDERATION IN THE SELECTION OF
KRIS/CHARACTERISTICS
 Ideally determined for many of the sign...
OperationalRiskManagement ROLES AND RESPONSIBILITIES
Business Unit/
Dep.
• Identification
of indicators
• Setting of
thres...
OperationalRiskManagement KEY RISK INDICATOR WORKFLOW DIAGRAM
Set up KRI
Definitions
Define/assi
gn
Thresholds
Set up
subm...
OperationalRiskManagement KRI DATABASE AND REPORTING
 The KRI Database should include the following
 The name of the KRI...
OperationalRiskManagement KRIS COLLECTION PROCESS
 Sending notification and follow up to those responsible for
input of t...
OperationalRiskManagement MANAGING KRIS
Collate the data required at the approved times.
Draft the report according to the...
OperationalRiskManagement EXAMPLES OF KRIS FOR CREDIT RISK
Front office – daily indicators
• Number/amount of interest
pay...
OperationalRiskManagement EXAMPLES OF KRIS FOR FINANCIAL MARKETS
ACTIVITIES
Front office – daily indicators
• Number of Br...
OperationalRiskManagement DEVELOPING KRIS IN ISDB AND LESSONS
LEARNED
• Operational risk team has already done Risk and Co...
OperationalRiskManagement CASE STUDY
Think of one risk as an example of the risks that your
department is exposed to and t...
OperationalRiskManagement
Upcoming SlideShare
Loading in …5
×

Key risk indicators shareslide

21,256 views

Published on

how to develop KRIs for operational risk management by Dr. Zakaria Salah

Published in: Business
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT, ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Quite useful. Would be nice to have a few more KRI examples (by risk category) ... still looking
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I found it very useful and practical... Thank you!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Key risk indicators shareslide

  1. 1. THE KEY RISK INDICATORS: A WORKING EXAMPLE Dr. Zakaria Salah 2015
  2. 2. OperationalRiskManagement OPERATIONAL RISK  Operational risk is defined as “the risk of losses resulting from operational failures due to processes, people and systems or from external events”.  Examples: human errors, IT failure, fraud, flood..etc.  Main sources of operational risk are People, Systems, Processes and External Events  The main objectives of managing OpRisk:  Changing the risk culture in the institution.  Avoiding or minimizing operational risk losses.  Providing early warning signals.  Improving work-flow quality.
  3. 3. OperationalRiskManagement OPERATIONAL RISK LOSSES  John Rusnak and Allied Irish Bank – fraud  Bank of Credit and Commerce International – major fraud  Nick Leeson and Barings Bank – bank collapse  Soc Gen and Jerome Kerviel – Euro 7.2 bn major fraud 3
  4. 4. OperationalRiskManagement OPERATIONAL RISK GOVERNANCE AND STRUCTURE 2 13
  5. 5. OperationalRiskManagement WHAT ARE THE APPLE & WHAT IS THE FORKS AND HOW MANY FORKS?
  6. 6. OperationalRiskManagement KEY INDICATORS Key Indicators Key Control Effectiveness Indicators KCIs Key Performance indicators KPIs Key Risk Indicators KRIs Is a metric that provides information on the level of exposure to a given operational risk which the organization has at a particular point in time. Are metrics that provide information on the extent to which a given control is meeting its intended objectives (in terms of loss prevention, reduction, etc.). Are metrics that measure performance or the achievement of targets. 6
  7. 7. OperationalRiskManagement KEY RISK INDICATORS (KRIS)  KRIs, as the name suggests, are indicators over the key risks to which the organization is exposed to. They are identifiable pieces of information that can act as a proy or indicator of the current, or potential level of that key risk. Since the rogue trading incidents at Société Générale in 2008 and UBS in 2011, many banks have developed the monitoring of specific KRIs for rogue trading. Risk Indicators are an important tool within operational risk management, facilitating the monitoring and control of risk. KRI is a metric that provides information on the level of exposure to a given risk which the organization has at a
  8. 8. OperationalRiskManagement KEY RISK INDICATOR (KRIS)  Developing KRIs is a prerequisite for effective risk management.  Useful risk indicators help identify rises in probabilities of occurrence of incidents early enough to prevent them. Credit analysts know which financial ratios, management behaviors and economic conditions will trigger a rise in credit risk. In Paris, Taxi meters are limited to eleven hours per day, preventing cab drivers overworking, since tiredness is a well- documented contributor to car accidents. Same for our staff, overtime leads to human errors and severe operational risk 8
  9. 9. OperationalRiskManagement KEY RISK INDICATORS  The risk indicator has to have an explicit relationship to the specific risk whose exposure it represents.  For example, Further examples of risk indicators include staff turnover (which may be linked to risks such as fraud, staff shortages and process errors), the number of data capture errors (process errors) and the number of virus or phishing attacks (IT systems failure). another examples of KRIs: number of limit breaches, number of outstanding items on the bank reconciliation..etc. Take the number of customer complaints, which is likely to be linked to the risk of process errors – as customer complaints increase, the probability that there are some underlying and potentially systemic mistakes and errors of judgment being made is likely to rise.
  10. 10. OperationalRiskManagement KEY RISK INDICATORS KRIs are focused primarily on identifying and tracking current risk. Objectives of KRIs:  Monitor current level of operational risk.  Detect problems as part of an early warning system.  Report risk levels in as timely manner as possible.  Implement an effective risk appetite.  Promote the awareness of risk issues across the staff.
  11. 11. OperationalRiskManagement PROCESS TO IDENTIFY KRIS Identify and analyse a business process (process flow analysis). Perform a risk and control self-assessment of the business process to identify the inherent risk, control measures and residual risks of the business process. Prioritise the residual risks in terms of high, medium and low risks. Identify the indicators according to the characteristics of a KRI:  the risk must be a high priority (high risk);  the KRI must be quantifiable; and  the data must be available. All stakeholders agree to a threshold for the KRIs. Register the indicator as a KRI. Determine the roles and responsibilities in managing the KRIs. Determine the reporting frequency and method, including escalation process.11/24/2015 11
  12. 12. OperationalRiskManagement • KRIs primarily track components of a risk story that has already commenced. The occurrence of risk causes and risk events will in most instances produce evidence (risk red flag). • KRIs are designed to identify that evidence, interpret it and rely it back to management in a meaningful and timely fashion to take actions. Cause Cause Cause Risk Event Effect Effect Effect Key Risk Indicators Detective Controls Expected loss events KEY RISK INDICATORS
  13. 13. OperationalRiskManagement HOW DO YOU IDENTIFY KRIS People risk Define Risk category Inability to recruit Inability to retain Inadequate skills and education Develop Causes Map Low staff morale Low job satisfaction Establish KRIs Staff turnover ratios Average time to fill No. of applicant per vacancy % of job offers accepted Poaching by competitors Poor performance of staff
  14. 14. OperationalRiskManagement SETTING THRESHOLDS FOR THE KRI  A key risk indicator for monitoring and responding to “loss of staff” risk is staff turnover levels.  Key risk indicators of this type require;  Tolerance thresholds in order to give a meaningful representation of the risk;  The resultant ratings which could be used to create “heatmap” reporting on indicators. So the KRI Thresholds can be set as follows Below 5% – acceptable risk. The organization is comfortable with the level of staff turnover. from 5% to 10% – Potential risk. The risk is a concern and HR would be expected to monitor actively and establish causes and actions. Escalation required raising awareness. Above 10% – Significant risk. Action and escalation with explanatory report required When given thresholds are breached there will be a requirement to escalate to KRI Acceptab le Early warning Worst Case Staff Turn Over Below 5% 5%-10% >10%
  15. 15. OperationalRiskManagement INFORMATION THAT CAN HELP TO IDENTIFY SIGNIFICANT RISKS  Historical internal & external loss events;  Risk and control self assessment results;  Internal / external audit findings;  Workshops / discussions with business functions e.g. Human resources (including staff turnover statistics).  Clients complaint cases  Integrity Unit findings  Compliance failure  Improvement Implementation failure
  16. 16. OperationalRiskManagement CONSIDERATION IN THE SELECTION OF KRIS/CHARACTERISTICS  Ideally determined for many of the significant risks identified in the risk and control self assessment (self assessment) process;  Can provide “early warning” signals to trigger actions that reduce potential risk exposures;  Some indicators are meaningless on their own and need to be combined with other KRIs. In many cases, it is a group of KRIs that will provide the best management information for a meaningful assessment;  Can indicate past, current and projected level of risks and can be used as a criteria to monitor, escalate and manage risk and related actions; and  KRIs relevance and change in importance over time. The appropriate frequency of reporting and monitoring of each identified indicator is also an important consideration. Other characteristics are: measureable, easy to monitor, auditable, comparability
  17. 17. OperationalRiskManagement ROLES AND RESPONSIBILITIES Business Unit/ Dep. • Identification of indicators • Setting of thresholds • Monitor position against targets and limits • Escalate breaches to operational risk management Risk Management Dep • Provide guidance and challenge the selection of KRIs and thresholds • Monthly reporting on KRI Breaches • Ad-hoc escalation reporting to Board • Identify trends across the business Internal Audit Dep. • Provide validation / independent assurance around the KRI process • Incorporate outputs into audit plan
  18. 18. OperationalRiskManagement KEY RISK INDICATOR WORKFLOW DIAGRAM Set up KRI Definitions Define/assi gn Thresholds Set up submissio ns Submit to KRI owner Capture Data KRI owner review and approved Submit data to KRI coordinato r KRI Owner Review KRI Reporter KRI Owner
  19. 19. OperationalRiskManagement KRI DATABASE AND REPORTING  The KRI Database should include the following  The name of the KRI  Description of the KRI  Objective of the KRI  What is the KRI tracking  The linkage of the KRI to the risk cause  The linkage of the KRI to the risk event  The linkage of the KRI to the risk effect  The linkage of the KRI to control(s)
  20. 20. OperationalRiskManagement KRIS COLLECTION PROCESS  Sending notification and follow up to those responsible for input of the KRIs information by the due date.  Software based collection system can assist and facilitate the process.  Input of KRIs data either via a system interface or manually.  Quality assurance off KRI data to ensure accuracy of data prior to the processing.  Reporting of the KRIs with action required:  No action required. For green - colored KRIs  Explanation with suggested corrective actions provided by the business unit within one month. These KRIs are escalated to senior management. For Amber – Colored KRIs  Explanation with suggested corrective actions provided by the business unit within 10 days. These KRIs are escalated to CRO, KRI KRI1 X KRI2 X KRI3 X
  21. 21. OperationalRiskManagement MANAGING KRIS Collate the data required at the approved times. Draft the report according to the approved format. Submit the report according to the approved timeframes and to the approved role players. Develop and implement control measures if there is a breach in the approved threshold. Monitor the various business influences, which could lead to a change in the approved threshold, for example an increase in business, external influences on business processes, etc. Submit KRI information to serve as an input for operational risk modelling (to determine a realistic capital for operational risk). Submit KRI information as an input to determine the risk profile and the risk appetite of the organisation. Submit KRI information to test the risk and control self-assessment results.11/24/2015 21
  22. 22. OperationalRiskManagement EXAMPLES OF KRIS FOR CREDIT RISK Front office – daily indicators • Number/amount of interest payment delay • Number/amount of credit limit breach • Number of loans/days/amount in watch list Loan attribution – portfolio review • Number of loans with missing documentation • Number of loan applications close to the documentation limit Loan monitoring – credit review • % nonperforming to total loans • Breach of liquidity/solvency/leverage limits
  23. 23. OperationalRiskManagement EXAMPLES OF KRIS FOR FINANCIAL MARKETS ACTIVITIES Front office – daily indicators • Number of Breaches of trading limits • Number of Abnormal trading patterns: • Number of deals amended • Number of deals cancelled • Number of off-market price transactions Back-office/accounting – daily indicators • Number of pending confirmations • Number of unconfirmed deals • Number of unreconciled deals • Number of unsettled deals • Number of reversals • Number of pending requests Front office – environmental KRIs • Lack of supervision (number of days / weeks without line supervisors) • Blame culture (metric: number of traders fired for poor short-term performance) Back-office – environmental KRIs • Number of staff without financial background • Number of staff without on-the- job/technical training • Number of transactions per staff member (monthly % change)
  24. 24. OperationalRiskManagement DEVELOPING KRIS IN ISDB AND LESSONS LEARNED • Operational risk team has already done Risk and Control self-Assessment (RCSA) to 16 departments the main output are as follows: •List of risks •List of Control in place •Number of KRIs and KCIs •Number of Actions • About 100 of KRIs and KCIs were developed for these departments during the RCSA exercise. Lessons learned •Each department should start use their KRIs in order to track the key risks them and report to operational risk team. •They can work as an early warning indicators. •If the department feels that the KRIs that they have are not enough they can develop more KRIs. •Focusing on two or three KRIs is enough to start monitoring your key risks.
  25. 25. OperationalRiskManagement CASE STUDY Think of one risk as an example of the risks that your department is exposed to and try to (in10 minutes): Develop one or more KRIS. Set thresholds for the suggested KRIs: (acceptable, potential (early warning) and significant (worst case)) Answer 1. Define one objective that your department would like to achieve. 2. Define on risk that may prevent your department from achieving this objective 3. Define KRI(s) with thresholds that you can use it/them to monitor such risk. Objective Risk KRI
  26. 26. OperationalRiskManagement

×