The document discusses integrating operational risk management and business continuity management approaches. It argues that taking an integrated approach provides synergies between the two frameworks in terms of stakeholders, framework components, and intended outcomes. An integrated approach allows for a proactive identification and assessment of risks, evaluation of controls, mitigation of operational risks through business continuity plans and insurance, and calculation of capital requirements. Embedding the integrated approach culturally is also important. The presentation concludes that an integrated operational risk and business continuity framework can help define risk appetite, be practical and simple for businesses to implement, and drive efficiencies.

1. Leading the risk profession
Operational Risk & Business Continuity
Management - An Effective And Integrated
Approach
Chris Lintern
Co-operative Financial Services

2. Introduction & Approach
Chris Lintern
• Background in all aspects of Business Continuity Management within
Financial Services
• Part of central Operational Risk Management Team
Co-operative Financial Services
• Includes Co-operative Bank, Co-operative Insurance, Co-operative
Investments
• Merged last year with Britannia Building Society
• Our vision is to be the UK’s most admired financial services business
Approach to this session
• Active participation
• All views welcome and appreciated

3. Purpose
• To share thoughts on the benefits of integrating Operational
Risk & Business Continuity
• Consider some of the key stakeholders, and the aims, and
components for Operational Risk and Business Continuity
frameworks
• Conclusions

4. What is Operational Risk Management?
Managing the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events
(Basel Committee of the Bank of International Settlements)
What is Business Continuity?
A holistic management process that identifies potential threats to
an organisation and the impacts to business operations that those
threats, if realised, might cause and which provides a framework
for building organisational resilience with the capability for an
effective response that safeguards the interests of its key
stakeholders reputation, brand and value creating activities
(BS25999 – British Standard for BCM)

5. Back to Basics
Preventing nasty surprises wherever practical, and
having the confidence that your organisation can
respond to and mitigate them - if and when they occur
Health
&
Safety
Key
Suppliers /
Outsource
Partners
Key person
dependencies
System
failures
Property &
Facilities
External threats

6. Historic Positioning of Op Risk & BCM
• Focus on “traditional” business continuity – denial of
access to premises, or loss of systems
• BCM and Operational Risk seen as separate entities
BCM
Operational
Risk

7. Synergies between the two
Stakeholders
Framework
Components
Intended
Outcome
Board
Policy &
Procedures
Understanding
of appetite
Executive & Senior Supporting
Management
documents
Proactive
assessment
Operational
Management
Understanding
of impact
Plans & Training
Other Considerations
Impact on Capital
Impact on Change
Insurance

8. Operational Risk – Integrated Approach
Operational
Risk
Control SelfAssessment
Business
Continuity
Insurance
Operational
Risk Capital

9. Operational Risk – Integrated Approach
Operational
Risk
Control SelfAssessment
Business
Continuity
Proactive identification of risks
• Assessment and evaluation
• Scenario analysis
Insurance
Operational
Risk Capital

10. Operational Risk – Integrated Approach
Operational
Risk
Control SelfAssessment
Business
Continuity
Insurance
Assess controls
• CSA process
• Review control weaknesses
• Track actions
• Link control evidence to risks
• Review incidents as evidence of control failures
Operational
Risk Capital

11. Operational Risk – Integrated Approach
Operational
Risk
Control SelfAssessment
Business
Continuity
Mitigation of operational risks
• Crisis Management Team & Plan
• Incident Management Teams
• Crisis Management Centre
• Work-Area Recovery
• Disaster Recovery strategy
Insurance
Operational
Risk Capital

12. Operational Risk – Integrated Approach
Operational
Risk
Control SelfAssessment
Business
Continuity
Insurance
Risk transfer
• Placement
• Claims Handling
• Specific perils e.g. Buildings/Contents, Business
Interruption Insurance
• Advice & Guidance
Operational
Risk Capital

13. Operational Risk – Integrated Approach
Operational
Risk
Control SelfAssessment
Business
Continuity
Capital against unexpected losses
• Calculation
• Planning
Insurance
Operational
Risk Capital

14. Operational Risk Components
Purpose
Vision
Strategy
3 Year Strategic
Plan
External Events
e.g. Weather,
Terrorism
Operational
Risk Appetite
Operational
Risk Capital
Change agenda
Core
Processes
Control SelfAssessment
Critical
Systems
Colleagues
Operational Risk
Key Controls
Top-down
Operational Risk
Profile
End-to-end
Process view
Bottom-up
Operational Risk
Profile
Scenarios
Facilities
Suppliers &
Outsource
Partners
Business Continuity
Resilience
Work-Area
Recovery
Disaster
Recovery
Incident &
Crisis
Management
Incident & NearMiss Reporting
Operational Risk strategy and plan
Reporting
Insurance
Programme
Policies
Claims

15. Operational Risk Components
Purpose
Vision
Strategy
3 Year Strategic
Plan
External Events
e.g. Weather,
Terrorism
Operational
Risk Appetite
Operational
Risk Capital
Change agenda
Core
Processes
Control SelfAssessment
Critical
Systems
Colleagues
Operational Risk
Key Controls
Top-down
Operational Risk
Profile
End-to-end
Process view
Bottom-up
Operational Risk
Profile
Scenarios
Facilities
Suppliers &
Outsource
Partners
Business Continuity
Resilience
Work-Area
Recovery
Disaster
Recovery
Incident &
Crisis
Management
Incident & NearMiss Reporting
Operational Risk strategy and plan
Reporting
Insurance
Programme
Policies
Claims

16. Embedding the Culture
• Business buy-in of paramount importance
• Incident Management framework known and utilised –
importance of exercising
• Risk Division seen as involved – not sat in Ivory Towers
• Part of the solution, not part of the problem - BC & Op Risk
representatives heavily involved in Incident Management
• Keep things simple – common language
• Linked to the CFS customer promise

17. Incident Framework
Crisis
Management
Team
Escalate
up
Incident Management
Teams
Operational Risk
(incl. BCM)
IS Service
Continuity
Business units / areas
BC plan owners and Plan co-ordinators
Cascade
down

18. Incident Management Team - Structure

19. Integrated Approach

20. Conclusions
• An effective, and consistent framework
• Can be used to define overall risk appetite at Board level
• Practical considerations – both areas need policies &
procedures
• Simple for the business
• Aligned to business processes
• Crucial that it’s accepted from a cultural perspective within the
newly merged organisation
• Potential to drive efficiencies and cost-savings

21. Thank You
Any Further Questions –
Chris.Lintern@cfs.coop