First part of a high-level "qualitative" summary of my ppt presentation at the AI Financial Summit, APAC Conference, presented on 4 April, 2018 at the Sheraton Imperial Hotel, Kuala Lumpur. Part 1 here discusses more from an op risk perspective, esp. on data sourcing incl., qualitative or unstructured data and the augmented role of business process governance in op risk mgt.

1. AI and Data Analytics in Operational Risk Management and Investment Management – Part 1
Guan Seng Khoo, PhD; gskhoo@gmail.com
Former Head of ERM/GRC, AIMCo
I. Focus on Operational Risk Management: Prologue - Walking the Walk
The Context / Environment of the Eco-system
In most of the organizations I have worked with, I often chatted with the building security personnel and
one a while, accompanied them while they made their rounds, to observe and understand what they
faced and experienced daily and get their feedback on how they would react and communicate to the
stakeholders (incl. landlords, tenants, occupants, govt. support services, etc.) in times of disruptions,
emergencies, etc. or criminal acts as well. In essence, they are the "experts" in their defined areas of
responsibilities and getting their feedback helps us in our own understanding of how the
potential operational risks can arise in a particular eco-system (vertical or at the BU level or horizontal
and cross-sectional at the enterprise level) with a lifecycle view of the business activities and processes in
the eco-system.
Internal Blind Spots
To elucidate further the importance of understanding the business process in the operational risk space,
let’s briefly compare the loss events at Barings and Enron. In the case of Barings, it was about the lack of
oversight and awareness by the senior management and board of directors (in London) about Leeson’s
activities in Singapore, while in Enron’s case, the senior management was directly involved in the
fraudulent activities. The fraudulent activities in both cases were due to and involved different "internal"
processes.
So, as I listened to most of the other speakers (mostly from IT vendors) at this AI event, I realized that
most of the focus of the FCC solution vendors today (in the field of AI and data analytics applied to op risk
management), are still biased towards the external perspective in targeting the external perpetrators in
say, fraud, money laundering, hacking, KYC-type client on-boarding (naturally, of course), etc. Very few of
these solutions cover the internal (or in-house) perspective or address more of the potential incidences
or issues that could be perpetrated by insiders or colleagues, in isolation (e.g., rogue trader) or in cahoots
with other parties (e.g., the LIBOR scandal). Hence, it is very important to first understand and be
knowledgeable about the business process occurring in a particular or generic context (environment), to
augment one’s risk mitigation or management challenge in devising strategies or procedures to mitigate
such potential loss events.
Eco-system Impact from Individual Parts (when not in sync with the rest)
When all the parts in this eco-system are moving smoothly and in unison, it's almost like a "6 sigma"
state. However, it just takes one entity or participant who refuses to play along to cause a malfunction

2. or breakdown in the integrity process to impact the whole ecosystem. Using an extreme example, this is
often the case with issues in home title ownership in some countries or provinces where fraudulent
characters impersonate the real or beneficial owners, selling their homes and absconding with the
proceeds, jeopardizing the status of the beneficial owners who are often still liable for the mortgage loans
outstanding. These criminals often act in cahoots with insiders or perpetrators at say, the land registries,
etc. So, while the lender (the FI) might have a sophisticated KYC system in identifying the borrower (the
victim of the crime above) as a credit-worthy customer, events or perpetrators in other "organs" of the
eco-system might still cause an impact or unintended consequence to the state of operational risk
readiness at the lender's end.
Business Process Governance
Essentially then, in the context of optimal operational risk management, it is highly appropriate to perform
a risk mapping between the potential loss events and business process first. The risk-based mapping
process will enhance the clarity and future audit of the operations in addition to unearthing more latent
information about the organization itself. This way, a more comprehensive and enterprise-view of the
potential operational risk exposures hopefully can be unearthed first.
Of course, not all scenarios can be accounted for but the task involved will elevate the organization to a
higher level of awareness and appreciation of all its business processes and correspondingly, operational
risk management. As a result of the exercise, if future loss incidences occur, the risk response from the
mapping process may potentially help prevent the escalation of these losses or to mitigate them
appropriately.
What is often not mentioned from these process-centric risk mapping exercises is the transparency that
they yield as part of the outcomes. When performed across the whole organization, the clarity achieved
in terms of highlighting each business unit or line, together with the core processes and task-holders
(contact persons) involved can never be under-estimated as accountability and “auditability” are also
taken into consideration – ATA (Accountability, Transparency and Auditability) – see Fig. below.

3. When coupled with issues related to the quality, time and cost, such a risk- and data-oriented ATA model
will provide a better analysis of the processes and the potential operational risk exposures. Also, with the
current global emphasis on corporate governance and transparency, the ATA approach fits this “ethics”
mindset nicely and provides the benchmark for best practices in ORM implementation, especially those
pertaining to Pillar 2 of the Basel Accord.
To expedite the mapping, we can make use of reference models for the definition of high-level processes,
with the risks assigned on a process level, instead of a business line, thus yielding more clarity and
concrete information. The processes themselves can also be the basis for the op risk self-assessment
(RSA), ensuring a complete picture for every process.
In a nutshell, ORM and business process governance go hand-in-hand together, augmented by smarter
analytics of the data or information from myriad sources incl. expert judgements.
Lessons on Data Sourcing – Performing Due Diligence Assessment on External Managers
While most assessments on external managers tend to focus on their financials, I also employ the same
principles as above when visiting these firms to get a better appreciation of how they (external managers)
manage risk. I prefer to meet employees from all levels of their organizational hierarchy in their natural
setting, rather than in just pre-arranged meeting rooms (and usually with C-suite or senior management
executives only). Once, I visited a famous firm and in an informal chat with one of the portfolio managers
along the corridor after lunch, he “boasted” about the Bentley he just bought after joining the firm

4. because the rest of the senior staff also owned and drove Bentleys (evident from the parked Bentleys in
the carpark) ………. You can guess how I perceive this firm.
Extending your conversations to include the traders on the trading floors, auditors or compliance staff
going about doing their work, including the janitor, you’d often be surprised with the nuggets of
information you picked up. Such informal activities and exchanges often yield far more information about
the firms’ conduct and integrity beyond the financial numbers and these unstructured data play a critical
role in my overall assessment of these firms during my due diligence visits – I will be elaborating more on
the financial and performance assessment in part 2.