OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION

www.natbank.co.mw The Bank of the Nation
National Bank of Malawi
Operational Risk
Management
Framework
Presentation

Structure of Risk Management
Policy
Risk
Management
Policy
Credit Risk
Management
Framework
Operational Risk
Management
Framework
-Operational Risk Policy
- Operational Risk Loss Event Reporting Guidelines
- Credit Operational Risk Boundary Events Guidelines
- Operational Risk Incident Management Guidelines
- Business Line Mapping Guidelines
- Procedures for Filling Operational Risk Loss Event Reporting
Template
Market Risk
Management
Framework
Liquidity Risk
Management
Framework

Operational Risk Management
Policy
• Operational Risk is the risk of loss resulting from inadequate or
failed internal processes, people and systems or from external
events.
• Lays the framework for formal operational risk
management architecture
• Establish responsibility for OpRisk identification and
analysis, planning for risk mitigation, management
and oversight
• Purpose of the Policy-ensuring Oprisks to NBM are identified,
analyzed, and managed to maintain them at an acceptable level
R I S K D I V I S I O N

Roles and Responsibilities
• Board Risk Committee (BRC)
• Enterprise Risk Committee (ERCO)
• Senior Management
• Risk Division
• Internal Audit

Board Risk Committee
• Approves broad business strategies and
policies that govern Operational Risk
• Provide guidance on the level of tolerance for
Operational Risk
• Establish an appropriate structure and lines of
authority for managing Operational Risk
• Monitor the Bank’s performance and the
overall Operational Risk Profile
• Ensure the Bank takes necessary steps to
identify, measure, monitor and control OpRisk

Enterprise Risk Committee
(ERCO)
• Approve the operational risk governance and
management structures of the Bank’s units
• Oversee limit breaches and their resolution
• Monitor Financial Performance against
OpRisk Capital
• Review the framework regularly to ensure
the Bank managing OpRisk associated with
New Products, activities and/or systems

Senior Management
• Implement OpRisk management framework
• Develop policies, processes, and procedures for
managing OpRisk in all material products, activities,
processes and systems
• Assign authority, responsibility, and reporting
relationships to maintain accountability
• Clear communication of OpRisk policies to staff at all
levels Bank’s units that incur material operational risks
• Enforce operational risk policies
• Policies, processes and procedures well-documented

Senior Management cont’d
• Implement strategies in a manner that limits
operational risks associated with each strategy and
ensures compliance with Laws and Regulations
• Maintain adequate systs and stds for measuring
OpRisk
• Maintain a comprehensive OpRisk reporting and
management review process
• Maintain effective internal controls and ethical
standards
• Ensure prudent risk taking against the Bank’s OpRisk
Capacity and Appetite + where appropriate initiating risk
transfer to mitigate against imprudent levels

Risk Division
• Develop OpRisk policies, philosophies and
methodologies
• Develop + oversee implementation of ORMF
and risk control
• Develop + implement an OpRisk limit + capital
allocation framework for OpRisk
• Monitor OpRisk utilization against hard limits and
mngnt action triggers on a regular basis
• If breaches occur assess appropriateness +
timeliness of corrective actions
• Submit reports to senior mngnt + BRC
• Instances of non-compliance raised to Senior
Mngnt + BRC

Internal Audit
Periodically assess:
• Compliance with Banking Act and associated
regulations
• The validity, reliability and integrity of
operational risk information
• The valuation process, including the model
validation process
• The safeguarding of assets in so far as
operational risk control is concerned

Operational Risk Management
Approach
1. Tolerance and Appetite
The bank has a low appetite and
tolerance for material operational risk it is
exposed to. Currently, the operational risk
loss and tolerance appetite is less than
0.1% of the Core Capital and the
tolerance for breaches and fines is 0%.

2. Principles for Identifying,
Assessing, Monitoring and
Controlling/Mitigating OpRisk
A. Identification & Assessment
i.Risk and Control Self
Assessments
ii.Risk Maps and Process Flows
iii.Risk assessment of new
products, processes and
systems

B. Monitoring
Monitoring techniques shall include:
• Risk and Control Self Assessments
• Key Risk Registers
• Key Risk Indicators
C. Control
• Escalation triggers
• Breach Logs and Near Misses
• Operational Risk Internal Loss data
template

Basel II Operational Risk
Categories
The categories includes the following:
• Handling of internal and external frauds
• Employment practices + workplace
safety
• Clients, Products + Business Practices
• Prevention of Damage to Physical Assets
• Ensure efficient + secure execution,
delivery + process management

Other OpRisk Mngnt Approach
• Appropriate segregation of duties, including
indep authorization of transactns
• Reconciliation + monitoring of transactns
• Compliance to regulatory + legal rquirents
• Documentation of controls + procedures
• Reporting of Operational losses + remedial
actions
• Training + professional development
• Ethical + business standards

Measurement of OpRisk
Capital Charge
The bank has adopted The Basic
Indicator Approach (BIA) to measure the
amount of capital charge that should be
put aside to absorb expected operational
losses and to protect the institution
against unexpected losses that may be
encountered in the normal course of
business.

Business Continuity Planning
The Bank shall have a comprehensive
business continuity planning (BCP)
framework to prepare for disasters and
ensure that it will ultimately continue with its
business operations of providing services to
customers. Disasters in various forms,
including fire out breaks, flooding, civil
disturbances and equipment failure, can
render our bank unit premises (together with
their contents) not available for use.

BCP Continued
The BCP process shall include the following:
• Business impact analysis (BIA)
• Classification of operations and criticality
analysis
• Development of a BCP and Disaster
Recovery Procedures (DRP)
• Training and awareness program
• Testing and implementation of plan; and
• Monitoring.

SESSION 2
OPERATIONAL
RISK INCIDENT
MANAGEMENT
GUIDELINES

OpRisk Incident Mngnt
Guidelines
Purpose
• Ensure operational risk incident management
process is fit for the purpose, but also enables
compliance with regulatory requirements including the
qualifying criteria for the Advanced Measurement Approach;
• Ensure incident data collected is sound in terms of validity,
completeness, accuracy and timeliness to ensure that it
may be used to manage incidents, assist management in
decision-making and be used in scenario analysis, risk and
control self-assessments, key risk indicators and capital
modeling;

Purpose Continued
• Aligns relevant definitions, including the
basis for reporting gross and net losses,
and ensures that they are used
consistently across business units in the
bank
• The current capital charge under the BIA
which is 15% of Gross Revenue is high
compared to Advanced Approaches if we
adopt these good data collection methods

1. ERCO
• Set the tone from the top to promote a transparent
culture where all staff are encouraged to report
incidents while promoting a culture of
accountability to avoid a blame culture
• Assess the adequacy of actions being taken to
address material incidents or trends of incidents
• Ensure that the criteria being used to assess the
materiality of each incident type is consistent with
their operational risk appetite /tolerance

Continued
2. Business Units shall:
• Ensure that all their staff members are aware of this
policy and adhere to its minimum requirements
• Ensure that OpRisk incidents are identified and
recorded as soon as the incident is recognised to
have occurred
• Define action plans for those incidents (individually
or in aggregate) that highlight risk exposures or
control weaknesses beyond an acceptable level
• Promote a culture of transparency where staff are
encouraged to report incidents

Continued
3. Risk Division shall
•Develop and maintain the incident management
methodology that ensures that incident data is
adequate to meet both internal management
/business needs as well as the qualifying criteria
for the Advanced Measurement Approach
• Maintain a central database of all incidents
captured across the bank
• Oversee the compliance with the policy and
methodology by all units
• Develop a bank-level materiality matrix
comprising thresholds for the escalation of OpRisk
incidents based on materiality and significance

Minimum Requirements
A. Identification of a Reportable Incident
• Incidents must include financial and non-financial impacts, and
also incidents which could potentially lead to such impacts
• All incidents which result in financial impact in excess of a
minimum amount must be treated as reportable incidents
• All financial crime incidents, irrespective of value, must be
recorded to facilitate consideration for investigation by the
Investigations Manager.
• For incidents which do not result in a direct financial impact, an
incident shall be treated as reportable if it reflects a failure of a
key control, or an inadequacy of the control framework or
operating model, which raises lessons to be learnt. As this
remains a judgemental area, if there is any doubt over whether
an incident is reportable Operational Risk shall provide case
by case guidance on how to treat each incident.

Cont’d
B. Reporting an Incident
• All staff members are required to report operational incidents
except for fraud, forgeries and losses to Risk Division (RD), as
soon as possible and at least within 48 hours after the incident is
recognised.
• Anyone who identifies a reportable incident should use the
incident reporting form to report the incident to RD.
• In the event that the incident reporting form cannot be completed
within the 48 hour deadline, then an e-mail notification of the
incident should be sent to RD and the form completed as soon as
possible, thereafter.

Incident Capture and
Classification
• All reported incidents shall be maintained
within a central incident database
administered by RD
• Operational Risk shall ensure classification
of each incident in accordance with the
data requirements prescribed within the
central database. This will include
classification against each of the prescribed
taxonomies.

Measurement of Impact
The impact of an incident must be measured in a
consistent manner by all BUs, based on the loss
measurement methodology provided by RD. This will
include the following key elements:
• Gross loss
The loss incurred before mitigation or recoveries.
Gross Loss amount is a key input into the capital
model as well as a regulatory requirement. The gross
loss amount of an incident must be recorded
• Net loss
The loss incurred after taking into account recoveries
from clients, insurance or other sources

Data Quality + Completeness
• Each unit is responsible for the
completeness and accuracy of incident
data reported to the central database.
Business line management must review
and sign off all incidents reported.
• A validation between the incidents
reported to the central database and the
general ledger will be performed.

Losses that materialize over
time
In some cases, an incident can span
several reporting periods. Additional
recoveries or losses relating to the
incident must be linked to the original
incident, and the date of capture to the
general ledger is a key requirement. A
typical example is legal cases.

SESSION 3
OPERATIONAL LOSS
EVENT REPORTING
GUIDELINES

Operational Loss Event
Reporting Guidelines
Purpose:
• Formalize and document NBM’s Operational
Loss Event Reporting
• Ensure effective and comprehensive reporting
and classification of loss events that can be
attributed to operational risk in line with Basel II
regulatory requirements, governance
requirements, risk management principles,
policies and international best practice
• Fulfill the Bank’s legal and statutory obligations

1. Enterprise Risk Committee (ERCO)
• Ensuring that systems, processes and
procedures are in place for the
recording, monitoring, reporting and
reviewing of operational loss events, as
defined by regulatory or group
requirements; and
• Monitoring and analyzing operational
risk trends

continued
2. Risk Division (RD)
• Creating awareness of the requirements
of this policy
• Monitoring implementation of this policy and
supportive procedures by management
• Regular reporting of operational loss events, as
defined by regulatory or business requirements
• Liaising with Finance Division officers to validate
direct losses (per loss database) associated with
operational loss events in the general ledger.

continued
• Record-keeping of operational loss events
• Validating the correctness of regulatory
classifications of loss events
3. Heads of Division/Service Centre Mgrs
• Reporting, escalating and signing off
operational loss events, as defined by
regulatory or business requirements
• Creating awareness of the requirements of this
policy within their area of responsibility

continued
• Implementing or adjusting business
processes to meet the requirements of
this policy
• Implementing appropriate action plans
or controls to address systemic control
failures

Operational loss event
reporting principles
1. Open Risk Culture
The Bank promotes an open, positive and non-
punitive approach towards operational loss event
reporting and has therefore adopted an open practice
policy to encourage staff to report on operational loss
events.
The Bank is aiming to ensure that employees feel
comfortable in reporting operational loss events in the
knowledge that the information provided will be
treated constructively and shared only as appropriate.
No disciplinary action will be taken against an
employee reporting a loss, unless there has been a
breach of law, dishonesty or wilIful negligence.

Reporting Requirements
It is the policy of the Bank to report any
operational loss event that meets the
criteria for being an operational risk
direct/indirect loss or a near miss

SESSION 4
CREDIT OPERATIONAL RISK
BOUNDARY
EVENTS GUIDELINES

CREDIT OPRISK BOUNDARY
EVENTS GUIDELINES
Purpose:
• Is intended to complement and give effect
to the principles outlined in the Operational
Risk Incident Management Policy in
respect of all boundary events
• Establishes a set of core principles to drive
the identification, monitoring, and reporting
of credit risk boundary events within the bank,
ensuring alignment to regulatory requirements
and industry best practice

CREDIT RISK
Credit risk is the risk of loss due to
counterparty default. It is understood that, for
capital purposes, any write-down value due
to loss of recourse may be considered credit
loss
Credit Risk Boundary Event
Operational risk incidents and losses which
occur within the credit risk regime (process)
and which may on occasion be comingled
with credit risk losses.

Control Failure
For management information purposes all Operational Risk /
Credit Risk boundary events are to be classified as one of
the following:
• Opening account document problems
• Input into Credit scoring system incorrect / manipulated
• Non-compliance with policy
• Non-compliance with processes
• Non-compliance with legislation
• Non-Compliance with conditions of Grant
• Security lost/not enforceable
• Facility letter incorrect
• Facility captured incorrectly
• Faulty valuation methodology used Mandate exceeded

Operational Risk
Operational Risk is the risk of loss
suffered as a result of inadequacy of, or a
failure in, internal processes, people and
systems or from external events. This
includes information risk and legal risk,
but excludes reputational risk and
strategic risk.

1. Business Unit Management
• Ensure that Credit Risk boundary events
i.e. Type 1 and 2 are reported through to
the relevant business Unit, and Risk
Division immediately upon identification;
• Ensure that a detailed explanation of the
loss is prepared
• Ensure that the root causes are
understood and appropriate remedial
actions are taken in response to lessons
learnt

Cont’d
2. Risk Division
• Facilitate a discussion around the
underlying causes of the reported credit
risk boundary event;
• Undertake a review of Business Unit
data in order to ensure that all data
regarding credit risk boundary event have
been duly reported

Cont’d
• Establish whether the reported credit
risk boundary event was correctly
categorised by Business Unit
Management;
• Quantify the portion of the credit risk boundary
event attributable to the operational risk incident:
 The rationale used for the attribution must be
clearly documented; and
 Such attribution must be approved by the
Heads of Risk and Credit;

Cont’d
• Ensure that the credit risk boundary
event is properly captured on the
Operational Risk Loss Data Reporting
template; and
• Ensure that the Business Unit are taking
the relevant action to address the root
causes of the incidents

Cont’d
3. Enterprise Risk Committee (ERCO)
• Consider items raised to it and advise on
the relevant classification between the
event types defined in this policy;
• Consider losses referred to it by the
Business Units and decide on the
appropriate attribution of the loss
amount

Cont’d
• Ensure such decisions are consistent
with the treatment of any similar items;
• Ensure that the rationale and
assumptions pertaining to such an
attribution are clearly documented and
available for independent scrutiny
• Monitor and report non-compliance with
the policy to the Board Risk Committee
• Undertake an annual review of these guidelines and
underlying methodology to ensure it remains fit
for purpose and practical to implement

• Each Business Unit must institute a process in
order to identify, monitor and report all material
operational risk incidents which are related to
credit risk
• The Business Unit management, in conjunction
with Risk Division must ensure that the incident is
captured onto the Operational Risk Loss Data
Reporting template and “flagged” as a Boundary
Event. The incident report should also comply
with the requirements for any operational risk
incident set out in the Operational Risk Incident
Management Policy.

• Where there is a material loss arising
from the operational risk component of a
credit related incident, this amount must
be separately identified in accordance
with this policy and separately recorded
as an operational risk loss in the
operational risk loss data reporting
template
• However, this loss must be excluded from the
operational risk loss data set which is used for
operational risk capital modeling purposes

Identification + Classification
Type 1 – Operational Credit Risk Boundary Event
Where there has been an operational risk incident
related to a credit process resulting in a loss but
where the loss is not related to the credit worthiness
of the counterparty, the event is to be treated as an
operational credit risk boundary event;
Type 2 – Operational Risk /Credit Risk Boundary
Event
In the case of a loss that arises due to the credit
worthiness of a counterparty but where an operational
risk incident has contributed to the severity of the
loss, the event is to be treated as an operational risk
/credit risk boundary event;

Identification + Classification
Type 3 – Credit Risk Event
In a case of a loss wholly related to the credit
worthiness of the counterparty, it is to be treated as a
credit risk event with no further implications for
operational risk reporting; and
Type 4 – Operational Risk Event
Where there has been an operational risk incident not
related to a credit process and not resulting in a credit
default, the event is to be treated as a pure
operational risk event. The total amount of loss is to
be classified as operational risk loss. The incident is
to be captured as an operational risk loss.

OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION

More Related Content

What's hot

Similar to OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION

OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION