Operational Risk Management and BCP

1. Operational Risk Management (ORM)
&
BUSINESS CONTINUITY PLAN (BCP)

2. 2
SBP Regulatory Requirement
• SBP has asked Banks to implement a robust framework in the Bank, vide
its BPRD circular # 4 dated May 20, 2014 with the objectives:
• To identify, assess, measure and control operational risks imbedded in the
day to day banking transactions, products, systems and processes.

3. 3
Definition of Operational Risk
• The risk of loss resulting from inadequate or failed internal processes,
people and systems or from external events.”
• This definition includes legal risk but excludes strategic and reputational
risk.
• Bank is required to have a robust framework for ongoing evaluation of its
operational riskiness and to prevent frauds and reduce transactional errors
by maintaining strong emphasis on internal controls and develop human
resources.

4. 4
Tools & Techniques of Risk Identification & Assessment
• The following are the recommended techniques/ tools for operational risk
identification and assessment.
o Risk Control & Self Assessment (RCSA)
o Key Risk Indicators (KRIs)
o Gathering of Internal Loss Data

5. 5
Role and Responsibilities of ORM Coordinators
• ORM Coordinators identified in all head office divisions to facilitate the
implementation of operational risk management framework.
• Operational Risk Management Coordinators Report & validation of RCSA
and KRIs.
• Operational Risk Management Coordinators Report Operational Loss events
in a prescribed format to ORM on a periodic basis.

6. 6
Risk Control & Self Assessment (RCSA)
• RCSA is the process in which potential material risks are identified and
recorded along with their related controls.
• RCSA exercise should also focus on identifying and assessing future potential
risks since most of the biggest operational risk losses arise from some new
issues which are difficult to forecast.
Activity
Risk
ID
Basel II
Event
Type
Category
(Level 1)
Risk Description
Inherent Risk
Assessment
Mitigating/ Control
Description
Residual Risk
Assessment
Process
Owner
Control
Owner
Key
Risk
(Yes
/
No)
Key
Control
(Yes
/
No)
Key Risk
Indicators
(KRI)
Threshold
Impact
Likelihood
Impact
Likelihood
Expected
Loss
Description
of KRI/
Control
Indicator
Low
Medium
High

7. 7
Risk Control & Self Assessment (RCSA)
• The best way to suggest controls is done by the staff that actually performs
the activities.
• RCSAs can be done through process mapping, brain storming session,
surveys, workshops and expert judgment/ interviews.
• Banks shall identify and monitor at least 15 key risk indicators in each
business line.

8. 8
Financial Impact / Severity illustrative

9. 9
Financial Impact / Severity illustrative

10. 10
Likelihood Assessment / Probability of Occurrence

11. 11
Key Risk Indicators (KRIs)
• KRIs selection process starts by analyzing the already identified key risks as a result of
RCSA exercises, audit reports, industry environment and actual loss experiences.
• The analysis of past events helps in the identification and finding of the intermediate
event or root cause event which led to the loss.
• KRIs are measurable indicators which can be termed as early warning signals, provide
information regarding increased current or potential level of operational risk.
• The goal of an effective KRI is to pin point the ultimate root cause of the risk event.
• The indicator is designed to transmit meaningful and timely information to the
management enabling them to take corrective actions to evade potential operational
losses before they happen or become larger.

12. 12
Examples of Inherent Risk, Control, KRIs & Threshold
Risk
ID
Risk Description Mitigating/ Control Description Description of KRI/ Control Indicator Threshold
1
Branches may not sent letters
to the beneficiaries of
unclaimed deposits in violation
of SBP instructions.
Branches are in practice to dispatched
prescribed Letters/ Notice yearly, as per
unclaimed MIS, in case of Returned Notice,
Branches marked Hold Mail WAM in system via
eticket.
Number of instances where branches
did not sent letters to the beneficiaries
of unclaimed deposits
0 0 1
2
Risk that semi-annual
statement of accounts from the
date of dormancy till date of re-
activation were not sent or
delivered with delay to the
customers in violation of SBP
guidelines.
Branches send/ delivered (under
acknowledgement) the statement of Accounts,
without charges 'from the Date Of Dormancy till
the Date of Re Activation' at customer's
registered address. Branches generate tickets
for activation of Dormant Accounts which
authorized by CPU
Number of instances noted in a month
where semi-annual statement of
accounts from the date of dormancy
till date of reactivation were not sent
or delivered with delay to the
customers
0 0 1

13. 13
Examples of Inherent Risk, Control, KRIs & Threshold
Risk
ID
Risk Description Mitigating/ Control Description Description of KRI/ Control Indicator Threshold
3
Risk that branches may not
maintain minimum One day’s
fresh / re-issuable cash balance
in accordance with the average
daily cash payment
requirements.
Branches are in practice to maintain minimum
surplus five days average of daily payment
requirement / turnover, machine sorted Re-
issuable / fresh cash, provided by Cash
Processing Centers/ Cash Houses. Branches are
in practice to send prior requisition of cash to
Cash Processing Centers/ Cash Houses.
according to their requirement / turnover on
the counter.
Number of instances noted where
branches not maintain minimum One
day’s fresh / re-issuable cash balance
in accordance with the average daily
cash payment requirements.
0 0 1

14. 14
Business Lines Mapping
Business Lines Department/ Units
Commercial Banking (BL04)
Corporate Banking
SME & Commercial Division
Special Asset Management
Credit Risk Management
Cost Centers/ Centralized Functions (BL09)
Compliance Division
Company Secretory Office
Fraud Risk Management Unit
IT Security
Rights Management
Information Technology Department
Finance Department
Country Operations
Admin. General Ser. & Protocol
Service Quality and Digital Banking
Human resources
Islamic Banking Department
CPU-Trade Finance
Legal Division
Trading & Sales (BL02)
Treasury Division
Market Risk & TMO
Financial Institutions & Home Remittances
Retail Banking (BL03) Retail Br. Banking/ COB

15. 15
Loss Data Identification, Collection and Treatment
• An operational risk loss can arise only from an actual operational risk event which has
a quantifiable negative impact on the profit and loss (P&L) statement of the bank. The
negative impact on P&L would be termed as Gross Loss i.e. loss before recoveries of
any type.
Identification of
loss
event/incidents
Reporting to
Operational Risk
Department via
approved Policy
Review of
reported
event/incidents
and assigning
thier
significancy by
Operational Risk
Department
Update of loss
event/incidnet
to Database

16. 16
Loss Data Identification, Collection and Treatment
Below mention Departments and support units & operational risk develop the
strategies for loss data collection.
• Admin Loss Data includes glass door, ATM, mobile, UPS damages & cash
shortage etc.
• Information technology (IT) Loss Data includes main IT servers downtime
Report, UPS system down time incidents, incident report of virus, Firewall &
Phishing Attacks.
• Service & Quality Loss Data includes customer complaints (Max. Count Wise
& Resolution TAT Wise).
• Fraud Risk Management Loss includes frauds, forgeries incidents & GL/ hPlus
for SBP penalties.

17. 17
Reporting & Action Plans
• Losses over certain thresholds, significant event, critical (present or
potential) risk and control breaches are immediately reported to senior
management & board of directors as per defined criteria.
• KRIs breaches should be regular and timely report to BRMC & senior
management.
• Internal Loss Data frauds, forgeries incidents, internal losses & SBP penalties
status also report to BRMC & senior management.
• RCSA & KRIs status also report to BRMC & senior management.
• Senior management & the board of directors are expected to understand and
remain updated on most significant KRIs pertaining to the institution’s top 10
risks.

18. 18
The Basic Indicator Approach
Banks using BIA Approach must hold capital for Operational Risk equal to the
average over the previous three years of a fixed percentage (denoted alpha) of
positive annual gross income
The charge may be expressed as follows:
KBIA = [Σ(GI1…3 x )]/n
Where;
KBIA= the capital charge under the Basic Indicator Approach;
GI = annual gross income, where positive, over the previous three years;
n = number of the previous three years for which gross income is positive;
 = 15%.

19. 19
Standardized Approach (SA)
• The Standardized Approach (SA) for measuring the minimum operational risk capital
requirements, shall replace all the existing approaches in the Basel Capital Adequacy
Framework
• Under this methodology, a direct capital charge against the operational risk is
calculated; therefore, the corresponding Risk Weighted Assets (RWAs) will be derived
by multiplying the amount of operational risk capital charge with 12.5.

20. 20
Capital Charge:
Gross income or a combination of gross income and outstanding advances is
assumed to be the exposure indicator based on which operational risk capital
charge is calculated.
Minimum Capital Requirements:
The least amount of money that banks and depository institutions are required
to maintain is referred to as capital requirement. This amount should never be
claimed, should never be lent and should not be on debt. The reserved capital is
meant to deal with unexpected losses.
Risk-weighted assets (RWA):
Risk-weighted assets are used to determine the minimum amount of capital that
must be held by banks and other financial institutions in order to reduce the risk
of insolvency.
Important Definitions

21. BUSINESS CONTINUITY PLAN

22. 22
What is Business Continuity Plan?
What events we are taking?
• Any unplanned event that can cause death or injury
– Employees, customers, tenants or the public
• An unplanned event that can disrupt banking operations
• An unplanned event that can threaten an organizations financial
standing or image

23. 23
What is Business Continuity Plan?
• A documented plan (BCP) Assists in returning to some
level of normal operations – restoring customer
services, income, jobs, etc.
• BCP is a proactive planning on the part of the
management to keep the business running in case of
disruption due to the events beyond its control.
• Following an “event” or disaster it will be anything but
“Business As Usual”

24. 24
What is Business Continuity Plan?
• Ensure a timely, predefined response to an emergency
situation.
• Ensure emergency situations are dealt quickly and
effectively .
• Goal of initial response plan = minimize human loss,
monetary loss, damage to facilities and restore
business within pre-specified time.
• To cover the reputation of organization.

25. 25
OBJECTIVES OF BCP
 Provide uninterrupted banking services to customers.
 Mitigate the negative effects of disruptions to remain
in compliance with applicable laws and regulations.
 Protect the lives of staffs, customers and damage to
bank’s assets.
 Minimize financial loss to the bank.

26. 26
DISRUPTION/UNCONTROLLABLE EVENTS
 Fire, Earthquake, Floods, Rains.
 Hold up, dacoit, acts of terrorism, riots, strikes.
 Breakdown in utility services.
 Failure of IT systems and or break-down in
network/communication lines.
 War or civil commotions, etc.

27. 27
BCP Invoking & Recovery Team at Head Office

28. 28
Determine Degree of Disruption
• Following degree of disruption will be used to
rate the event and subsequent effect.
Degree Recovery Timeline
Low Operations recovery within 0 - 3 hours.
Medium Operations recovery within 3 - 6 hours.
High Operations recovery within 6 - 24 hours.
Extreme Operations recovery over 24 hours.

29. 29
Response against degree of disruption

30. 30
WHEN TO “INVOKE” BCP
• Taking decision for INVOKING BCP is depend on condition faced by branch.
However, following points (not limited to) will help branch to identify their
needs for INVOKING BCP.
Situation Degree of Disruption
Unavailability of Premises Low to High
Unavailability of Systems Medium to High
Unavailability of Network Infrastructure Medium to High

31. 31
SOP under Medium to Extreme Disruption
• In case of Major / Extreme disaster situation or disruption where
operations recovery exceeds more than 6 to 24 hours.
• Branch Manager will contact to BCP Administrator and gravity of the
situation.
• BCP administrator in consultation with BCP Invoking and Recovery
Team will INVOKE BCP.
• Branch will move to Alternate Back up Branch.
• IT Division, Country Operations, Admin and HR will make their
necessary support to restore affected Branch operations.

32. 32
SOP Under Low Degree Disruption (Operations Recovery Expected within 3hours)
• Branch Management will handle the situation locally.
• Inform and seek support and guidance from IT Division &
Country Operations under intimation to BCP Administrator for
restoration of system, network, operational processes.
• Seek support from Remote Operations Unit at Country
Operations for system related processing issues.

33. 33
Remote Operations Unit (ROU)
• This unit under supervision of Country Operations provides support to the
branches located specially in remote areas and facing connectivity and system
issues, poor law and order situation and other contingency situations, where
branch operations are subject to disruption. In such scenarios Remote
Operations Unit provides IT related processing services to facilitate branch
operations like:
• All system related processing like cash deposit, Cash withdrawal, Instrument
realization i.e. CDR, PO, DD, Fund Transfer, Stop Payment, Clearing and system
day end is performed at ROU through fax.
• Dedicated staff on ROU performs the requested services on behalf of the
branch in the light of approved SOPs implemented at branches.
• After successful execution of process /transactions, ROU informs the concerned
branch for any further processing at its end.

34. 34
Centralized Operations as Back up Units
Centralized Operations of TRADE CPU and Credit Admin.
– Centralised operations of Trade CPU and CAD Units
located in South and North Regions will act as back
up site for each other and provide all operational
support to process and record respective
transactions and services of the affected
branch/division.

35. 35
Identification of Primary & Secondary Back up branches and Emergency Contact Numbers

36. 36
Branch BCP Team

37. 37
Branch Critical Staff Details

38. 38
BRANCH ROLE & RESPONSIBILITIES DURING NORMAL CONDITIONS
• Identified CRITICAL STAFF and define their roles & responsibilities.
• Define Staff Backups and ASSEMBLY/ GATHERING POINT
• Duplicate Keys to be in nearest branch
• Duplicate rubber stamps and letter heads to be in fire proof vault
• Fire alarms, sensors, Fire fighting equipment and panic buttons are
kept in working order and serviced regularly.
• Conduct Dry test of all security alarm systems, during off timing.
• Fire drill must be conducted and documented at least once a year.
• Keep Emergency numbers of Fire Brigade, Police, and Ambulance on
notice board.
• Proper signs of No Smoking Zones, Voltage Warning, are displayed at
Branch.

39. 39
BRANCH ROLE & RESPONSIBILITIES DURING NORMAL CONDITIONS
 All emergency exits and passages are kept clear & Marked.
 Emergency exit can be opened easily from inside.
 Branch Manager ensure the proper functioning of CCTV.
 Placement of backup-record to remote location.
 Placement of safe keys at remote location,
 Bank cash, records are locked in vault/ safe.

40. 40
BRANCH ROLE & RESPONSIBILITIES DURING EMERGENCY / DISRUPTION
 Immediately inform to senior management and BCP Administrator
 Ascertain the degree of disaster and disruptions into low, medium,
high and extreme for making decision to invoke BCP by the BCP
Administrator.
 Limit further damage, secure facilities and Identify the need for
invoking of BCP.
 Contact emergency services i.e. Police, Ambulance, Fire fighting.
 Liaison with Area Manager/ RGM/ BCP Administrator to resumption to
normal.
 Relocate available staff to Alternative Site
 Provide full support to BCP Invoking & Recovery Team
o for resumption of business from alternative site.
o for recovery of ACTUAL/ DISASTER SITE

41. 41
INITIALIZING OPERATIONS FROM SECONDARY SITES
 Ensure that alternate site has the availability of necessary resources (i.e. PC,
Printers etc.
 Set up temporary work stations for cash receipt / payment / clearing / remittances
and others
 Establish help desk to attend and facilitate customer enquiries.
 Display address / contact details of secondary sites at the effected branch site for
the customer’s.
 Publish notice in local newspaper (if required).
 Move the duplicate keys, critical records / rubber stamps to backup site.
 Obtain fresh amount of cash from the SBP or SMBL branch since the retrieval of
cash, critical records and rubber stamps from vault records may be delayed due to
fulfillment of insurance and other requirements.
 Co-ordinate with the BCP Invoking & Recovery Teams for the availability of IT
facilities.
 Initiate the critical functions form Secondary Branch and Confirm relocation to
Area/ RGMs.

42. 42
RECOVERY PROCEDURES
• Gather all preliminary information on the incident and identify
expected recovery time scale.
• For recovery of loss under insurance claim immediately update
BCP Invoking & Recovery Team for onward processing.
• After restoration of incident site, update BCP Administrator and
relocate employees back to their original location

43. 43
EMERGENCY RESPONSE INSTRUCTIONS
 This section will provide effective, predefined framework and
process to respond to following.
◦ On discovery of fire
◦ Bomb threat
◦ On discovery of suspected bomb
◦ Flood/water damage procedure
◦ Act of Terrorism, Civil Commotion & Riots
◦ Hold-up procedure
◦ Strike
It should be noted that safety of Human life should always
remain the number one priority.

44. 44
BCP Instructions
 ON DISCOVERY OF FIRE
◦ Raise the alarm by breaking the glass of the nearest fire alarm
point;
◦ Call fire brigade and try to tell comprehensive address of building
including NEAREST LANDMARK;
◦ Advise switchboard location of fire;
◦ Attack the fire with emergency equipment (only if safe to do so);
◦ If possible, close windows and doors to contain fire
◦ Evacuate building

45. 45
BCP Instructions
 BOMB THREAT
◦ Inform Police immediately. While doing so, do not put down the
handset or cut off the conversation;
◦ Care must be taken not to create panic, and if the branch is open
for business that customers are advised calmly of the reason
◦ Evacuate building
 ON DISCOVERY OF SUSPECTED BOMB
◦ Look out for the unusual or out of place, which might be indicate
the presence of a bomb;
◦ If as suspicious object or package is found; do not touch or move
the suspect object;
◦ Inform Police, Emergency Service immediately.
◦ Evacuate building

46. 46
BCP Instructions
 FLOOD/ WATER DAMAGE PROCEDURE
◦ Check if electronic and electrical equipment is affected;
◦ If equipment is wet, do not touch, but turn off at main power switch;
◦ If electrical equipment is presently dry, power down normally (i.e. PC
and printers);
◦ Attempt to stop the source of water;
◦ Advise switchboard of location
◦ Inform Emergency Service immediately.

47. 47
BCP Instructions
 ACT OF TERRORISM, CIVIL COMMOTION & RIOTS
◦ Inform Police, Fire brigade and Ambulance services immediately. While doing so, do not put down
the handset or cut off the conversation;
◦ Staff in vulnerable areas such as near windows overlooking the street on which the commotion is
taking place should draw blinds if available and move to the rear of the office.
◦ Bank’s assets should be stored away in safes/strong rooms/fire proof cabinets
◦ In consultation with country operations close down the branch advise staff to leave (when it is safe
to do).
 HOLD-UP PROCEDURE
◦ If possible, Activate/Raise the panic alarm without attracting the attention of the robbers.
◦ Do exactly as demanded by the robbers, do not take any risks.
◦ Study one or more of the robbers carefully, memorize identifying characteristics and other relevant
information.
◦ Do not panic – remaining calm will enable you to be more observant, and less likely to jeopardize
your own life or the lives of others.
◦ Ensure that Police have been informed, particularly if no silent alarm is provided.
◦ Ensure that the BCP Administer has been informed of the entire event.
◦ Ensure the hold-up area is secure and that all evidence is being protected.

48. 48
BCP Instructions
• STRIKE
– Office should be looked un-operative from external view i.e. all
windows/glass cover through windows blinds.
– Guards should be stand inside the main entry.
– Main shatters/grills should be partially downs.

49. 49
EMERGENCY EVACUATION PROCEDURE
• When the building evacuation alarm is activate during an
emergency, leave by the nearest marked exit and alert others to
do the same.
• STOP YOUR WORK> EVACUATE THE BUILDING. IMMEDIATELY!
• USE STAIRWAY; DO NOT USE THE ELEVATOR IN ANY EMERGENCY
SITUATION.
• Use the nearest safe stairs and proceed to the nearest exit.
• Stay calm; do not rush and do not panic.
• If there is time, turn off personal computers to protect SMBL
data from possible damage.
• If it is safe to do, gather your personal belonging (Reminder:
take prescription medications out with you if at all possible; it
may be hours before your are allowed back in the building)

50. 50
 If safe to do, close your office door and windows, but do not lock them.
 Be alert for individual with disability or injuries who may need assistance.
 However, under no circumstances should an individual risk or jeopardize
his/her personal safety in an attempt to rescue another person
 Evacuated staff to assemble outside branch/office.
 Keep streets and walkway clear for emergency vehicles and fire and medical
crews.
 After normalization staff to be back to their office after permission of their
Manager.
EMERGENCY EVACUATION PROCEDURE

51. 51
DO NOT
 DO NOT Use lifts;
 DO NOT Shout or run as this can cause panic;
 DO NOT Remain behind to collect personal belongings;
 DO NOT Re-enter the building after evacuation for any reason.
 DO NOT Talk to Media people about the situation, let them gather news from
official sources
MANAGERS
 Should ensure that all staff in their domain leave the building promptly, along
with any visitors and members of general public in their areas if any.
 At Emergency Assembly Point, Take attendance; make sure all staff are
account for (this means you must have a list of your staff, present on the
particular day, in your pocket.
EMERGENCY EVACUATION PROCEDURE

52. 52
If Safe, to do
• Bank assets, cash, records etc. should be quickly locked
away in safe, fire proof accommodation if possible.
• Bank cars to be parked at the safer places if possible.

53. 53
Thank You!
Operational Risk Management Department
Enterprise Risk Management Group
HO | Summit Tower, 11th Floor, Plot No. G-2, Clifton - Block 2, Karachi.