Leading the risk profession

Operational Risk & Business Continuity
Management - An Effective And Integrated
Approach
Chris Lintern
Co-operative Financial Services
Introduction & Approach
Chris Lintern
• Background in all aspects of Business Continuity Management within
Financial Services
• Part of central Operational Risk Management Team
Co-operative Financial Services
• Includes Co-operative Bank, Co-operative Insurance, Co-operative
Investments
• Merged last year with Britannia Building Society
• Our vision is to be the UK’s most admired financial services business
Approach to this session
• Active participation
• All views welcome and appreciated
Purpose
• To share thoughts on the benefits of integrating Operational
Risk & Business Continuity
• Consider some of the key stakeholders, and the aims, and
components for Operational Risk and Business Continuity
frameworks
• Conclusions
What is Operational Risk Management?
Managing the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events
(Basel Committee of the Bank of International Settlements)

What is Business Continuity?
A holistic management process that identifies potential threats to
an organisation and the impacts to business operations that those
threats, if realised, might cause and which provides a framework
for building organisational resilience with the capability for an
effective response that safeguards the interests of its key
stakeholders reputation, brand and value creating activities
(BS25999 – British Standard for BCM)
Back to Basics
Preventing nasty surprises wherever practical, and
having the confidence that your organisation can
respond to and mitigate them - if and when they occur
Health
&
Safety

Key
Suppliers /
Outsource
Partners

Key person
dependencies

System
failures

Property &
Facilities

External threats
Historic Positioning of Op Risk & BCM
• Focus on “traditional” business continuity – denial of
access to premises, or loss of systems
• BCM and Operational Risk seen as separate entities

BCM

Operational
Risk
Synergies between the two
Stakeholders

Framework
Components

Intended
Outcome

Board

Policy &
Procedures

Understanding
of appetite

Executive & Senior Supporting
Management
documents

Proactive
assessment

Operational
Management

Understanding
of impact

Plans & Training
Other Considerations

Impact on Capital

Impact on Change

Insurance
Operational Risk – Integrated Approach

Operational
Risk

Control SelfAssessment

Business
Continuity

Insurance

Operational
Risk Capital
Operational Risk – Integrated Approach

Operational
Risk

Control SelfAssessment

Business
Continuity

Proactive identification of risks
• Assessment and evaluation
• Scenario analysis

Insurance

Operational
Risk Capital
Operational Risk – Integrated Approach

Operational
Risk

Control SelfAssessment

Business
Continuity

Insurance

Assess controls
• CSA process
• Review control weaknesses
• Track actions
• Link control evidence to risks
• Review incidents as evidence of control failures

Operational
Risk Capital
Operational Risk – Integrated Approach

Operational
Risk

Control SelfAssessment

Business
Continuity

Mitigation of operational risks
• Crisis Management Team & Plan
• Incident Management Teams
• Crisis Management Centre
• Work-Area Recovery
• Disaster Recovery strategy

Insurance

Operational
Risk Capital
Operational Risk – Integrated Approach

Operational
Risk

Control SelfAssessment

Business
Continuity

Insurance

Risk transfer
• Placement
• Claims Handling
• Specific perils e.g. Buildings/Contents, Business
Interruption Insurance
• Advice & Guidance

Operational
Risk Capital
Operational Risk – Integrated Approach

Operational
Risk

Control SelfAssessment

Business
Continuity

Capital against unexpected losses
• Calculation
• Planning

Insurance

Operational
Risk Capital
Operational Risk Components
Purpose
Vision

Strategy

3 Year Strategic
Plan

External Events
e.g. Weather,
Terrorism

Operational
Risk Appetite
Operational
Risk Capital

Change agenda

Core
Processes

Control SelfAssessment

Critical
Systems

Colleagues

Operational Risk

Key Controls

Top-down
Operational Risk
Profile

End-to-end
Process view

Bottom-up
Operational Risk
Profile

Scenarios

Facilities

Suppliers &
Outsource
Partners

Business Continuity
Resilience
Work-Area
Recovery
Disaster
Recovery

Incident &
Crisis
Management

Incident & NearMiss Reporting

Operational Risk strategy and plan

Reporting

Insurance
Programme
Policies
Claims
Operational Risk Components
Purpose
Vision

Strategy

3 Year Strategic
Plan

External Events
e.g. Weather,
Terrorism

Operational
Risk Appetite
Operational
Risk Capital

Change agenda

Core
Processes

Control SelfAssessment

Critical
Systems

Colleagues

Operational Risk

Key Controls

Top-down
Operational Risk
Profile

End-to-end
Process view

Bottom-up
Operational Risk
Profile

Scenarios

Facilities

Suppliers &
Outsource
Partners

Business Continuity
Resilience
Work-Area
Recovery
Disaster
Recovery

Incident &
Crisis
Management

Incident & NearMiss Reporting

Operational Risk strategy and plan

Reporting

Insurance
Programme
Policies
Claims
Embedding the Culture
• Business buy-in of paramount importance
• Incident Management framework known and utilised –
importance of exercising
• Risk Division seen as involved – not sat in Ivory Towers
• Part of the solution, not part of the problem - BC & Op Risk
representatives heavily involved in Incident Management
• Keep things simple – common language
• Linked to the CFS customer promise
Incident Framework

Crisis
Management
Team
Escalate
up

Incident Management
Teams

Operational Risk
(incl. BCM)

IS Service
Continuity

Business units / areas
BC plan owners and Plan co-ordinators

Cascade
down
Incident Management Team - Structure
Integrated Approach
Conclusions
• An effective, and consistent framework
• Can be used to define overall risk appetite at Board level
• Practical considerations – both areas need policies &
procedures
• Simple for the business
• Aligned to business processes
• Crucial that it’s accepted from a cultural perspective within the
newly merged organisation
• Potential to drive efficiencies and cost-savings
Thank You
Any Further Questions –
Chris.Lintern@cfs.coop

Operational risk & business continuity management

  • 1.
    Leading the riskprofession Operational Risk & Business Continuity Management - An Effective And Integrated Approach Chris Lintern Co-operative Financial Services
  • 2.
    Introduction & Approach ChrisLintern • Background in all aspects of Business Continuity Management within Financial Services • Part of central Operational Risk Management Team Co-operative Financial Services • Includes Co-operative Bank, Co-operative Insurance, Co-operative Investments • Merged last year with Britannia Building Society • Our vision is to be the UK’s most admired financial services business Approach to this session • Active participation • All views welcome and appreciated
  • 3.
    Purpose • To sharethoughts on the benefits of integrating Operational Risk & Business Continuity • Consider some of the key stakeholders, and the aims, and components for Operational Risk and Business Continuity frameworks • Conclusions
  • 4.
    What is OperationalRisk Management? Managing the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events (Basel Committee of the Bank of International Settlements) What is Business Continuity? A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders reputation, brand and value creating activities (BS25999 – British Standard for BCM)
  • 5.
    Back to Basics Preventingnasty surprises wherever practical, and having the confidence that your organisation can respond to and mitigate them - if and when they occur Health & Safety Key Suppliers / Outsource Partners Key person dependencies System failures Property & Facilities External threats
  • 6.
    Historic Positioning ofOp Risk & BCM • Focus on “traditional” business continuity – denial of access to premises, or loss of systems • BCM and Operational Risk seen as separate entities BCM Operational Risk
  • 7.
    Synergies between thetwo Stakeholders Framework Components Intended Outcome Board Policy & Procedures Understanding of appetite Executive & Senior Supporting Management documents Proactive assessment Operational Management Understanding of impact Plans & Training Other Considerations Impact on Capital Impact on Change Insurance
  • 8.
    Operational Risk –Integrated Approach Operational Risk Control SelfAssessment Business Continuity Insurance Operational Risk Capital
  • 9.
    Operational Risk –Integrated Approach Operational Risk Control SelfAssessment Business Continuity Proactive identification of risks • Assessment and evaluation • Scenario analysis Insurance Operational Risk Capital
  • 10.
    Operational Risk –Integrated Approach Operational Risk Control SelfAssessment Business Continuity Insurance Assess controls • CSA process • Review control weaknesses • Track actions • Link control evidence to risks • Review incidents as evidence of control failures Operational Risk Capital
  • 11.
    Operational Risk –Integrated Approach Operational Risk Control SelfAssessment Business Continuity Mitigation of operational risks • Crisis Management Team & Plan • Incident Management Teams • Crisis Management Centre • Work-Area Recovery • Disaster Recovery strategy Insurance Operational Risk Capital
  • 12.
    Operational Risk –Integrated Approach Operational Risk Control SelfAssessment Business Continuity Insurance Risk transfer • Placement • Claims Handling • Specific perils e.g. Buildings/Contents, Business Interruption Insurance • Advice & Guidance Operational Risk Capital
  • 13.
    Operational Risk –Integrated Approach Operational Risk Control SelfAssessment Business Continuity Capital against unexpected losses • Calculation • Planning Insurance Operational Risk Capital
  • 14.
    Operational Risk Components Purpose Vision Strategy 3Year Strategic Plan External Events e.g. Weather, Terrorism Operational Risk Appetite Operational Risk Capital Change agenda Core Processes Control SelfAssessment Critical Systems Colleagues Operational Risk Key Controls Top-down Operational Risk Profile End-to-end Process view Bottom-up Operational Risk Profile Scenarios Facilities Suppliers & Outsource Partners Business Continuity Resilience Work-Area Recovery Disaster Recovery Incident & Crisis Management Incident & NearMiss Reporting Operational Risk strategy and plan Reporting Insurance Programme Policies Claims
  • 15.
    Operational Risk Components Purpose Vision Strategy 3Year Strategic Plan External Events e.g. Weather, Terrorism Operational Risk Appetite Operational Risk Capital Change agenda Core Processes Control SelfAssessment Critical Systems Colleagues Operational Risk Key Controls Top-down Operational Risk Profile End-to-end Process view Bottom-up Operational Risk Profile Scenarios Facilities Suppliers & Outsource Partners Business Continuity Resilience Work-Area Recovery Disaster Recovery Incident & Crisis Management Incident & NearMiss Reporting Operational Risk strategy and plan Reporting Insurance Programme Policies Claims
  • 16.
    Embedding the Culture •Business buy-in of paramount importance • Incident Management framework known and utilised – importance of exercising • Risk Division seen as involved – not sat in Ivory Towers • Part of the solution, not part of the problem - BC & Op Risk representatives heavily involved in Incident Management • Keep things simple – common language • Linked to the CFS customer promise
  • 17.
    Incident Framework Crisis Management Team Escalate up Incident Management Teams OperationalRisk (incl. BCM) IS Service Continuity Business units / areas BC plan owners and Plan co-ordinators Cascade down
  • 18.
  • 19.
  • 20.
    Conclusions • An effective,and consistent framework • Can be used to define overall risk appetite at Board level • Practical considerations – both areas need policies & procedures • Simple for the business • Aligned to business processes • Crucial that it’s accepted from a cultural perspective within the newly merged organisation • Potential to drive efficiencies and cost-savings
  • 21.
    Thank You Any FurtherQuestions – Chris.Lintern@cfs.coop